Articles in this section

See more

The Supplied Certificate Does Not Match the Hostname

Avatar
Brent Landon
  • Updated
Follow

Classification: FMOS

Category: X.509 certificate usage or issue

Severity: Warning

Summary

The supplied certificate does not include the name of this machine in its list of valid names. Unless a proxy or load balancer that matches one of the names listed in this certificate is in use, clients and subordinate servers will not be able to communicate with this machine.

Description

This warning is issued by fmos pki import-server-cert when the supplied server certificate does not include the fully-qualified domain name of the machine in its subject or subject alternative name fields.

Impact

Clients examine certificate presented by a server to determine if it is in fact the one they expected. If the name they use to locate the server does not match the certificate the server has presented, this may indicate that the communication is being intercepted. To prevent information disclosure to a malicious third party, clients will refuse to connect to servers that present certificates without the correct name.

In a multi-server FMOS ecosystem, subordinate servers and clients may not be able to connect to this machine if its certificate does not match its DNS name.

Cause

Certificates specify the name of the machine for which they certify the identity in one of two ways:

  • The value of the common name attribute of the distinguished name specified in subject field of the certificate

  • One or more items of type DNS name in the subject alternative name extension field of the certificate

If a certificate lists any names in its "subject alternative name" extension field, the value of the "subject" field is ignored.

Resolution

To resolve this warning, the server certificate should be replaced with one that includes the fully-qualified domain name of the machine in its subject or subject alternative name fields.

If a load balancer, proxy, or other intermediate communication device is in use in the ecosystem, it may have a different name than this machine. If this is the case, and clients will be communicating with the intermediate device instead of this machine directly, the warning can be ignored safely.

Related articles

Comments

0 comments

Article is closed for comments.