Certificate Common Name

Certificate Common Name
Prev	Chapter 9. TLS certificate creation	Next

Certificates confirm the identity of a service. The identity is specified by the Common Name (CN) and in some cases the subjectAltName embedded in the certificate.

Some vendors refer to subjectAltName certificates as SAN certificates. This acronym is more commonly used for Storage Area Network and can cause confusion.

Early versions of the federated XMPP specification proposed a custom OID, xmppAddr, rather than using subjectAltName. This practice was not widely supported by certificate authorities. Furthermore, it meant that such certificates could not be used for purposes other than XMPP, such as SMTP email or SIP. The XMPP specification has since been relaxed and it is now possible to use a single certificate on a server for SIP, XMPP, SMTP and other purposes.

Many web sites use a name such as www.example.org and include the www prefix in the CN in their certificate. When purchasing a certificate for SIP and XMPP, it is important to ensure that the certificate contains a CN or subjectAltName that specifies the domain alone. For the example.org domain, the certificate should include CN=example.org or subjectAltName=example.org and not something like CN=www.example.org.

In a wildcard certificate, the CN will include an asterisk (*), for example, CN=*.example.org. This type of certificate can be used for the domain example.org and subdomains or hostnames such as www.example.org or mail.example.org.

Some organizations have wildcard certificates for all servers/subdomains in the organization. These are not always suitable for RTC purposes, in particular, RFC 5922 section 7.2 prohibits the use of wildcard certificates for SIP. Some SIP products offer the ability to override this restriction and use wildcard certificates anyway, however, this is not suitable for the public Internet as you can't be sure that other servers will have the same override enabled.

The correct domain needs to be specified when creating the certificate signing request (CSR) and should be confirmed by the CA in their web-based ordering form. If using the Let's Encrypt utility to obtain certificates, this part of the process is automated.