Common Name is not always identical to the first domain in the order

Hi,

i was under the impression, that the first domain in an order always ends up as the subject / common name in the issued certificate.

But it seems when a renewal is requested while the DNS Authentication is still valid, then the first domain in the (ordered) alternative names is used instead. (This is just a guess though)

This can be seen with the following certificates, which all were requested with the same domains in the same order, with regenwald.org as the first domain.

ECDSA Cert Correct Common Name (= regenwald.org)
https://crt.sh/?id=2557097650

ECDSA Cert Wrong Common Name (= *.hutanhujan.org)
https://crt.sh/?id=2561311856

RSA Cert Correct Common Name (= regenwald.org)
https://crt.sh/?id=2544778698

RSA Wrong Common Name (= *.hutanhujan.org)
Not yet listed on crt.sh
Fingerprint SHA256: 4eb2f821834eac676f0f0300fccac9bb39c4d1d333d49476f1b9725de1cef226

Any assistance would be appreciated

Regards
Tim

Hi @RegenwaldOrg

the CN value isn’t relevant.

It’s your decision how you create your CSR, so you can create the CSR with the CN you want to have.

Some clients may have some additional limitations. But the CN isn’t relevant, so use it.

2 Likes

Hi Jürgen,

the hint to look at the CSR was what I needed.

Thanks.

1 Like