Rapid7 Vulnerability & Exploit Database

X.509 Certificate Subject CN Does Not Match the Entity Name

Back to Search

X.509 Certificate Subject CN Does Not Match the Entity Name

Severity
7
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:N)
Published
08/03/2007
Created
07/25/2018
Added
08/03/2007
Modified
04/25/2019

Description

The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.

Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com".

In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).

A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.

Please note that this check may flag a false positive against servers that are properly configured using SNI.

Solution(s)

  • certificate-common-name-mismatch

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;