2 Certs with the same domain as CN?


#1

How is it possible that a domain can be CN twice for an LE Cert?

I have an LE Cert that I created myself, with many alternative names domains on a CN domain. Now I have outsourced the domain from the CN to a host that automatically creates LE Certs. Now I have two LE Certs with the same domain as CN and both are valid. How is it possible?


#2

There’s no restriction regarding having certificates with the same names, or even exact duplicates, aside from the rate limits (5 duplicate certificates can be created in a given 7-day window.) This is commonly used for load balancer setups, and the process would be identical to requesting the certificate the first time.


#3

One way to look at this phenomenon is to think of a certificate as asserting that a public key is authorized to be used for a name. This isn’t mean to deny that other public keys may also be authorized to be used for the same name, for example because of the kind of round-robin and load balancing systems that @jared.m mentions, or because of CDNs, or because of failover systems, or because a system is being switched from one key to another, or a service is being switched from one key to another…

So, there’s simply no limit at all on overlapping certificate validity in the web PKI, because certificates confirm that something is OK, rather than asserting that something else is not OK. When subscribers or certificates definitively decide that something is not OK, the corresponding certificates are supposed to be explicitly revoked.

The mechanism that says that only a certain key or certificate is OK (and others are specifically not OK) is called certificate pinning, but the most important pinning implementation, the HPKP implementation in Google Chrome, is being phased out because its developers decided that it was too dangerous in its propensity to wrongly lock people out of access to sites.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.