The meaning of certificates with common name not related to X509v3 Subject Alternative Name

Hey guys
I was using to look for my domain to see what certificates were generated and was surprised to see some strange results.
Looking at this result for example:

You can see that the Subject>commonName =
But looking at the X509v3 Subject Alternative Name: area you can see a long list of domains completely unrelated to, for example

How can this be explained? Is this a security issue?
Thanks in advance!

1 Like

I haven't checked, but this could be due to e.g. Cloudflare. Especially in the past (exact current practice is unknown to me) Cloudflare used to pool multiple sites that were using their free tier CDN service into a single certificate. And you had to have a payed service for a certificate for just your own site.


Looks like there is some sort of CDN (Varnish based perhaps) so whoever set that up would be the one to ask about the cert details.

curl -I
HTTP/2 200
x-served-by: cache-iad-kcgs7200101-IAD
x-cache: HIT
x-cache-hits: 1
x-timer: S1678807917.336907,VS0,VE1


curl -I
HTTP/1.1 301 Moved Permanently
Server: Varnish

Using this online tool shows both

Are DNS mapped to the same IPv4 Address and are hosted by Fastly, Inc.

1 Like

We were using firebase at some point and I think Firebase are using fastly, so perhaps that is the cause.
Is there any security risk in such behavior or its generally common for CDNs to operate in such way?

Yes, it's generally common and not particularly concerning.

Not really beyond the general security risk of using a CDN in general: Your CDN is "in the middle" of the transaction, and so can impersonate your site and monitor the traffic between your users and you. That's basically the service they're selling you, so maybe "security risk" isn't quite the right term, but if they get hacked or have a terrible bug or whatnot, it might impact you in a way that you'd wish you'd have gone with a different provider or hosted it yourself.


Yep, they are well-known for combining unrelated SANs.


But it's actually Fastly this time!:
ARIN Whois/RDAP - American Registry for Internet Numbers


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.