Has the CN of a certificate always to be the FQDN?

theperfectwave · ‎09-09-2010

We did several tests with TLS secured connections to AMT computers. We always used certificates whose CNs (common names) contained the FQDNs of the AMT computers.

When using the AMT computers FQDNs as the CNs of the certificates, all the tests worked fine.

__________________________________________________________________

Now the question is: can also the IP-addresses or just the simple computer names (not the full FQDNs) be used for the CNs? We tried to use certificates to whose CNs the ip-addresses or the simple computer names have been assigned. Those tests failed.

But why:

* Did we make a mistake in those tests?

* Or is it just impossible to use the IP-addresses or simple computer names for the CNs? --> Are always the FQDNs required?

Andrew_S_Intel2 · ‎09-09-2010

It is possible (although not recommended) to use TLS with IP addresses. Mainly it's not recommended because the IP addresses are more likely to change than the FQDN, with the exception of static IP configuration, and it's more of a maintenance burdeneven if the systems are using static IP's.

However, depending on the client library you're using to build the WS-Man requests, it's possible that the WS-Man request that is getting built is explicitly requiring that the certificate is being checked against the host name. What are you using to perform this request?