https://stackoverflow.com/questions/23137145
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianHow do I know which domains an ssl certificate is issued for?
This is specified in RFC 2818 (Section 3.1) (for HTTPS) and RFC 6125 (more generally).
In short:
If there are any Subject Alternative Name entries, the certificate will be valid for any of them. ("If a subjectAltName extension of type dNSName is present, that MUST be used as the identity.")
If there are no SAN DNS entries, "the (most specific) Common Name field in the Subject field of the certificate MUST be used." (according to RFC 2818).
"Common Name" is the CN in the Subject Distinguished Name ("
description=MnUfE9G..., C=UA, CN=sub.example.com/emailAddress=webmaster@example.com" in your example).(Note that defining what the "most specific" CN is (if there are multiple of them) is a bit vague, and that's one of the point RFC 6125 is addressing.)
EDIT:
What are these description, C, CN, DNS things? Which standards govern the format of the fields?
Regarding the content, as @AlexW said, this partly comes from the X.509 standard, which also relies on X.500/X.501, if you're interested in their format.
What they mean is a slightly different issue. Some of this has to do with the name and policy constraints in the PKIX Specification (RFC 5280, or 3280), but mainly this is linked to administrative policies set by the CAs. To some extent, these are more administrative and legal than purely technical documents.
The Symantec Trust Network Certificate Policies (Verisign) has its own description. Section 3 ("Identification and Authentication") should be of interest. Each CA has its own, but some aspects tend to be harmonised in practice.
The actual meaning depend on what browsers actually make of those fields. Besides CN (and SANs), there isn't always a clear technical interpretation. There has been a long running Firefox issue about what to do with the O= (organisation) RDN, for example.
Another layer above this are the specifications coming from the CA/Browser forum, in particular the EV Certificate guidelines. In this case, the O= RDN would have a well-defined meaning (what appears in the green bar when using an EV certificate).
