X.509 subjectAltName test page 1/4

Welcome to my little X.509 test. It consists of four pages, this being the first. During the HTTPS handshake they present a X.509 (aka "SSL-" or "TLS-" or "server-") certificate. You can carry out this test ...

• accepting the server cert only temporarily, or
• installing/accepting the server cert permanently (not possible with Opera), or
• installing the CA's root cert (see footer below) beforehand (unsurprisingly, all issuer warnings disappear).

Of course you should delete the cert(s) from the browsers certificate storage when you are done.

---

Said server cert is issued to the subject CN=test.eonis.net, but it also contains some alternate subject names (subjectAltName:dNSName), namely

• test.eonis.net (again)
• test.eonis.org
• *.co.uk
• *.com
• * (just the asterisk)

When you click on the link, your browser will correctly raise a warning that it does not know the CA which issued the certificate, and you will have the option to view it. Let the browser show you the cert and try to find those embedded alternate subject names.

Proceed to the next test page (2/4) and check if your browser shows you the embedded alternate subject names in the standard certificate view.

Spoiler: it won't.

---

Heise (german) reported on this issue ;-)

[details] [page 1] [page 2] [page 3] [page 4] [root cert]

---

Apache on 78.47.88.72:80 - (c) Nils Toedtmann 2007