The RSA Server Certificate CommonName (CN), or server name, must match the hostname of the system for site visitors to trust the connection. When the CommonName does not match the server name, an SSL/TLS handshake error will appear in web browsers and other applications, preventing users from accessing a website. This article explains how to fix the issue of RSA Server Certificate CommonName (CN) not matching the server name.
Step 1: Determine CommonName and Hostname
First, it's important to check if the CommonName and Hostname are correct in the environment.
The CommonName is the domain of the certificate. For example, if an SSL certificate is purchased for the domain "example.com", then "example.com" would be the CommonName of the certificate.
The Hostname is the domain of the host. It can be determined by running the following command in the terminal: hostname |cut -d"." -f1
Step 2: Validate Server Configuration
Next, the server configuration should be checked and validated to ensure the values are correct.
The following command can be used to check the current configuration: openssl s_client -connect example.com:443 -servername example.com
If run on the same domain listed above, "example.com", this should return the details of the certificate, including the CommonName. Make sure the CommonName matches the domain ("example.com" in this case).
If the CommonName does not match the Hostname, the SSL certificate must be replaced.
Step 3: Replace the SSL Certificate
Once the CommonName does not match the Hostname, the SSL certificate requires replacing. The steps for replacing an SSL certificate on a web server vary, but the new certificate must be configured in the same way as the one that is being replaced.
If the certificate is being purchased from a Certificate Authority (CA), they may have specific instructions on how to configure the new certificate in place.
Step 4: Restart the Server
Once the SSL certificate has been replaced and configured, the server must be restarted to apply the changes.
Once the server has been restarted, check the server again using the same openssl command to ensure the CommonName matches the Hostname.
FAQ
How can I check the current server configuration?
To check the current server configuration, use the following command: openssl s_client -connect example.com:443 -servername example.com. This will return the details of the certificate, including the CommonName.
What should I do if the CommonName does not match the Hostname?
If the CommonName does not match the Hostname, the SSL certificate must be replaced. Follow the steps provided in this article to replace and configure the SSL certificate.
What should I do if I am having trouble replacing the SSL Certificate?
If you are having trouble replacing the SSL Certificate, contact the Certificate Authority you purchased the certificate from as they may have specific instructions on how to configure the new certificate in place.
Can I check the Hostname without using the terminal?
Yes, you can use online tools to check the Hostname. One such tool is Digicert's SSL Checker.
How long does it typically take to replace an SSL certificate?
Replacing an SSL certificate usually doesn't take long, although it can depend on the Certificate Authority you are using and how complex the configuration needs to be. After the SSL certificate is replaced and configured, the server must be restarted to apply the changes.
What else do I need to do once the SSL certificate has been replaced?
Once the SSL certificate has been replaced, check the server again using the same openssl command to ensure the CommonName matches the Hostname.