Solved

How to fix "X.509 Certificate Subject CN Does Not Match the Entity"

Posted on 2016-08-09
3
1,781 Views
Last Modified: 2016-08-10
How do we fix the above ?

In one site VA scan identified this
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 41748493
You will have this when the certificate common name does not match the name of the domain for host, or does not contain a matching subject alternate name (SAN). For example you have a server called server1 in the domain yourdomain.com. The URL is https://server1.yourdomain.com. You find this name is not very friendly so you create a DNS record pointing to server1.yourdomain.com called myapp.yourdomain.com. The user goes to https://myapp.yourdomain.com. The browser will throw an error saying that the certificate is not trusted because the URL does not match the certificate name.

To fix this you would need to issue a new certificate with the new name or add a subject alternate name to the certificate for myapps.yourdomain.com.
1
 

Author Comment

by:sunhux
ID: 41748575
Thanks very much.

So I have to obtain a new cert (if it is not self-signed cert) from the CA
for myapps.yourdomain.com ?

If this is left alone as such, is it considered a security vulnerability/risk?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 500 total points
ID: 41749605
No it is not a security risk as such just bad practice. Your browser for example would suggest that your connection may not be secure because it could be a possible MiTM attack. But, as long as you recognise the cert as the one you installed you can ignore the warning. If it were a customer facing site you would want to fix it, otherwise that's just embarrassing. If its something internal...depends how much you care. Issuing a new certificate should be a fairly straight forward procedure and take a couple of minutes. Me personally I would prefer to fix it because I like to cross my t's and dot my i's and installing a new cert is a trivial task.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question