Figure 39 - SubjectAltName
Notice how there isn’t even a Common Name in the LDAP server’s certificate. If you remember, we tried connecting to the LDAP server using the IP address of 192.168.0.1 and it failed. When we switched to w2003.example.internal, it passed. We can now see why. A name check was done between the FQDN specified for the LDAP server and the SubjectAlternativeName of a type of dNSName whose syntax is very well known. The SubjectAlternativeName can contain multiple dNSNames and it can contain IP Addresses as well. As time goes on, the SubjectAlternativeName will be used more and more since its syntax better understood than the Common Name, at least for HTTPS. From RFC2818 which describes HTTP over TLS:”If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.”
85
