Multiple domains but one CN

Hello everyone,

I finally get a script to automatically renew my certificates for all my domains at once.
I use this line:
./letsencrypt-auto --renew-by-default --config myconfiguration.ini --redirect --hsts

My configuration ini file looks like this:

rsa-key-size = 4096
email =
domains =,,,
text = True
renew-by-default = True
agree-tos = True

It works like a charm for now but the only problem is when I take a look at the certificates for each sites they all have the same CN:

I think maybe there is something I didn’t understood, can someone explain and/or help ?

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 16.04 Server

My hosting provider, if applicable, is: Scaleway

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

There can only be one CN - usually the first one alphabetically.
All the names are actually found in the SAN.

So instead of doing all in one script I should separate all the domains so everyone have it’s own CN ?

Why do you think you need every domain to have a CN? The CN field is deprecated and disregarded by most browsers in favor of the SubjectAlternateNames field. In fact, I think most major browsers throw an error now if you only have a CN defined.

1 Like

CN as in Common Name ? It identifies what domain you protect and I think it’s a pretty big deal in SSL certifcates isn’t it ?
If not can you explain why not please ?

As I said, that field is deprecated and disregarded. What matters is in the subject alternate name field.

Agreed, today if a cert only has a CN field (and no SAN) some systems will not accept the cert.

This is really correct, even if it’s contrary to what old documentation says. :slight_smile: The place in the certificate where the subject names are supposed to be stored has moved into the subject alternative name extension (which is not part of the X.509 subject). All browsers have respected this for many years now.

Thanks for the answers I learned a lot !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.