Which name should I use as Common Name for my UC certificate?

by Bharat Suneja

I recently got a UC/SAN cert from DigiCert (read previous post “DigiCert: A Certificate Authority with excellent customer service“). Here’s a tip from them about which name (fqdn) to use as the Common Name.

Q: Which name should I use as the “common name” for my UC certificate?
A: It’s probably best to use the name which will be used by mobile devices for their ActiveSync connections.

Here is why:
Many organizations need to support a variety of mobile devices which connect to the mail server for ActiveSync. There are many mobile devices out there, with various SSL capabilities.

– The most common form of name matching is for the SSL client to compare the server name it connected to with the common name in the server’s certificate. It’s safe to assume this basic matching will be supported by all SSL clients.

If the SSL client supports SANs (Subject Alternative Names) and there is a SAN extension in the server’s certificate, then the client will ignore the subject common name entirely and try to match the server name to one of the names in the SAN list. (This is why you will always see the subject common name repeated in the SAN list.)

Windows Mobile 5 supports subject alternative names.
– Newer Palm Treo devices use WM5, but the older ones run PalmOS and use VersaMail for ActiveSync.
– The older Treos do not support SAN name matching.
– There are other mobile devices that don’t support SAN name matching either, so it’s safest to set your common name to the name that most mobile devices will be using.
– All popular browsers (IE, FF, Opera, Safari, Netscape) have supported SANs since 2003 (MS IE has supported them since in Windows 98)

{ 0 comments… add one now }

Leave a Comment

{ 1 trackback }

Previous post:

Next post: