Someone listed my domain in their certificates "Subject Alternative Name"

My blog site josephkirwin.com (a wordpress.com custom domain name) was just http.

Someone else has registered a cert with LetsEncrypt
https://crt.sh/?id=12336612&opt=cablint

and now that certificate is being applied to my site.

Why is this?
Is this a mistake or a scam, and how can I remove it?

I’m going to arbitrarily guess that Wordpress.com is using Let’s Encrypt to obtain certificates for its users who are using custom domain names, and has a habit of lumping large numbers of SANs into one certificate.

2 Likes

You are absolutely correct. I contacted them and once I found out told them I’d prefer the correct Common Name if they plan on doing this, and some notice by email so I don’t waste your time @hlandau. Thanks for your assesment :smiley:

The CN is actually completely ignored by browsers when SAN is present, and eventually there won’t be any commonName in certs at all, so it shouldn’t actually matter whose domain name gets the privilege of ending up in that field when wordpress batches a bunch of sites into one 50-domain mega-cert like that…

1 Like