CNAME SSL certificates

Tag: ssl , dns , certificates , cname Author: ice_fir0416 Date: 2012-03-13

I'm a user I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com. If I navigate to www.example.com am I going to get the green lock? Even if assets.example2.com does not have a certificate?

this a crafty question, but you won't circumvent ssl by proposing a dns CNAME entry. we see this at ssl.com quite a lot, but the answer you are looking is the one below

Best Answer

Whether your DNS entry uses a CNAME or an A record doesn't matter. What matters is the host name the client is trying to connect to. It must match one of the Subject Alternative Names in the certificate of the server providing that resource (or, failing that, it must match the CN RDN of the cert's Subject DN).

If https://www.example.com embeds an image to https://assets.example.com (providing both are served over HTTPS with valid certificates for each) and if there is no mixed content (no resource loaded over http://, that is no JavaScript, no image, no iframe, ...) then you should get the green/blue bar as appropriate.

If assets.example.com is a CNAME to assets.example2.com and the requests are made to https://assets.example.com, this machine must present a certificate valid for assets.example.com to the client.