Common Name of some of our SSL certificates don't match the domain name

ISSUE

We run an application with several custom domains.
From an issue reported by one of our clients, I noticed an unexpected behavior:

1. When accessing custom-domain-1.tld from chrome, opening the Certificate Viewer, the “Issued To > Common Name” value is custom-domain-2.tld
2. When accessing custom-domain-2.tld from chrome, opening the Certificate Viewer, the “Issued To > Common Name” value is custom-domain-3.tld
3. When accessing custom-domain-3.tld from chrome, opening the Certificate Viewer, the “Issued To > Common Name” value is custom-domain-3.tld

For the 2 first customs, it issued to CN value is targeting another of our custom domain.

image1528×906 54.7 KB

For the 3rd custom, it seems to be working fine because it’s well targeting the expected domain.

Could this be the reason why the firewall of our client prevents them from accessing custom-domain-1.tld?
Do you have any suggestions on how to solve this?

Hello @jmeiss
Just to confirm it is this application where you encounter the issue ?

Concerning the certificate, we generate one certificate that is valid for all the domains of your application. If you go to the details of the certificate, you can see a section “Certificate Subject Alternative Name” that should contain all your domains related to your application. This is called a SAN certificate (more info there)

image600×634 39.5 KB

Do you have more details about the issue your client is experimenting ?

Hi @Melvin_Zottola,

Thanks for your reply.

Yes, that’s the application.
I just sent you a PM with the full screenshot from our client who’s trying to explain the issue they are facing.
Here is a version where I removed the URL:

image832×658 55.4 KB

I told them that it looks like it’s an issue with their firewall (Fortinet) but the client IT team thinks it’s coming from us because the app is accessible 80% of the time.
Here is their answer:

Hello,
I contacted the IT department. In his opinion, the problem is not with our firewall as the platform is accessible 80% of the time. He thinks the problem is with the certificate.
To answer your question, yesterday I can confirm that the message also appeared on my phone - which is not always the case.

Thanks a lot for the details about a SAN certificate

This is strange because the certificate is valid (you can check also on ssllabs.com the validity) + is valid since more than 1 month ago.

The fact that “the app is accessible 80% of the time” seems weird if this was a certificate issue (this should be either always accessible or never accessible).

I would recommend they should ask for Fortinet support to give a look at their issue, maybe there is some misconfiguration on their side.

Don’t hesitate to keep us posted if you have additional info.

Alright, thanks for your reply and your help.
I’ll keep you posted when I’ll get any update from their side.

Regarding the CN, do you have any explanation why the CN does not (always) match the URL it’s being accessed from?

The CN corresponds to one domain chosen among the ones defined on your application side. As there is no constraint with a SAN certificate as all other domain are defined in the “alternate names” of the certificate, we just take the first one we found when we generate the certificate.

You should see the same CN no matter the domain you visit (so only 1 domain should have the same CN of the certificate)

Super clear!

Thanks a lot for the explanation