{"id":5584,"date":"2018-12-16T19:30:17","date_gmt":"2018-12-16T17:30:17","guid":{"rendered":"https:\/\/www.imacandi.net\/sin\/blog\/?p=5584"},"modified":"2018-12-16T20:00:25","modified_gmt":"2018-12-16T18:00:25","slug":"cn-san","status":"publish","type":"post","link":"https:\/\/www.imacandi.net\/sin\/blog\/2018\/12\/16\/cn-san.html","title":{"rendered":"cn &#038; san"},"content":{"rendered":"<p>Pe vremea mea &#8482;, c\u00e2nd voiai s\u0103 generezi un certificat, \u00eei puneai acolo la <strong>CN<\/strong> sau <strong>Subject<\/strong> cu ce nume \u00eel accesai sau cum \u00eel validai, c\u0103 poate \u00eel puneai la SMTP sau la alt serviciu, trimiteai CSR-ul la semnat, primeai certificatul \u0219i erai fericit.<\/p>\n<p>Dup\u0103 aia s-a inventat SAN-ul (Subject Alternative Name) \u0219i puteai s\u0103 ai mai multe &#8220;nume&#8221; pe acela\u0219i certificat, gen alias-uri. \u0218i <strong>regula<\/strong> era cam a\u0219a: la CN puneai FQDN-ul primar \u0219i la SAN b\u0103gai cum era hostname-ul sau adresa IP sau alte FQDN-uri etc&#8230; \u0219i nu-\u021bi d\u0103dea oroare indiferent de cum accesai serviciul at\u00e2ta timp c\u00e2t nimereai unul din numele alea pentru care era emis certificatul.<\/p>\n<p>Acu ceva vreme m-am \u00eenv\u00e2rtit ca un coi \u00eentr-o c\u0103ldare ne\u00een\u021beleg\u00e2nd de ce acces\u00e2nd un serviciu cu numele din CN, Chrome \u0219i Safari \u00eemi d\u0103deau prin gur\u0103 c\u0103 nu e certificatul valid, de\u0219i dac\u0103 m\u0103 uitam la Chain of Trust \u00eemi zicea c\u0103 certificatul e valid. Un fel de e valid, da de fapt nu.<\/p>\n<p>Dac\u0103 accesam serviciul folosind ce mai pusesem la SAN \u00een certificat, nu mai d\u0103dea oroare. Evident c\u0103 a urmat un b\u0103 ce mor\u021bii \u0219i r\u0103ni\u021bii m\u0103-sii.<\/p>\n<p>Dup\u0103 ce-am terminat de \u00eenjurat, m-am apucat s\u0103 sap s\u0103 v\u0103d daca m-am t\u00e2mpit sau ceva.<\/p>\n<p>CAB forum a decis c\u0103 utilizarea CN este op\u021bional\u0103 (sec\u021biune 7.1.4.2 din Baseline Requirements) \u0219i chiar descurajeaz\u0103 treaba asta.<\/p>\n<p>Ei \u0219i se pare c\u0103 de la nu&#8217;\u0219ce versiune, browserele astea noi precum Chrome si Safari (de\u0219i cre&#8217;c\u0103 \u0219i Firefox face la fel), ce treci \u00een CN trebuie s\u0103 existe \u0219i \u00een SAN, c\u0103 acum se uit\u0103 doar \u00een SAN dup\u0103 sub ce nume este valid certificatul. Sau mai bine zis, CN nu mai are nici o relevan\u021b\u0103; sau \u00eemi scap\u0103 mie la ce mai e folosit.<\/p>\n<p>Asta din categoria cum \u00eenv\u0103\u021b\u0103m despre evolu\u021bia tehnologiei &#8220;the hard way&#8221;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pe vremea mea &#8482;, c\u00e2nd voiai s\u0103 generezi un certificat, \u00eei puneai acolo la CN sau Subject cu ce nume \u00eel accesai sau cum \u00eel validai, c\u0103 poate \u00eel puneai la SMTP sau la alt serviciu, trimiteai CSR-ul la semnat, primeai certificatul \u0219i erai fericit. Dup\u0103 aia s-a inventat SAN-ul (Subject Alternative Name) \u0219i puteai &hellip; <a href=\"https:\/\/www.imacandi.net\/sin\/blog\/2018\/12\/16\/cn-san.html\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">cn &#038; san<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"ngg_post_thumbnail":0,"footnotes":""},"categories":[2],"tags":[7],"class_list":["post-5584","post","type-post","status-publish","format-standard","hentry","category-diverse","tag-computers"],"_links":{"self":[{"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/posts\/5584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/comments?post=5584"}],"version-history":[{"count":8,"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/posts\/5584\/revisions"}],"predecessor-version":[{"id":5770,"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/posts\/5584\/revisions\/5770"}],"wp:attachment":[{"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/media?parent=5584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/categories?post=5584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.imacandi.net\/sin\/blog\/wp-json\/wp\/v2\/tags?post=5584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}