Common Name is not always identical to the first domain in the order


i was under the impression, that the first domain in an order always ends up as the subject / common name in the issued certificate.

But it seems when a renewal is requested while the DNS Authentication is still valid, then the first domain in the (ordered) alternative names is used instead. (This is just a guess though)

This can be seen with the following certificates, which all were requested with the same domains in the same order, with as the first domain.

ECDSA Cert Correct Common Name (=

ECDSA Cert Wrong Common Name (= *

RSA Cert Correct Common Name (=

RSA Wrong Common Name (= *
Not yet listed on
Fingerprint SHA256: 4eb2f821834eac676f0f0300fccac9bb39c4d1d333d49476f1b9725de1cef226

Any assistance would be appreciated


Hi @RegenwaldOrg

the CN value isn’t relevant.

It’s your decision how you create your CSR, so you can create the CSR with the CN you want to have.

Some clients may have some additional limitations. But the CN isn’t relevant, so use it.


Hi Jürgen,

the hint to look at the CSR was what I needed.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.