DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

SAN in local certificate

  • martynbest
  • Topic Author
  • Offline
  • New Member
  • New Member
More
19 Jul 2020 11:51 #1 by martynbest
SAN in local certificate was created by martynbest
Hi, newbie here.

My ultimate goal is to connect into my Vigor 2762n from a remote DD-WRT router using OpenVPN. To this end I've been getting to grips with X509 local certificates, keys and signing. As a first step I've now got the ability to connect to the web management of the router on the local network using https://192.168.1.1 without any warnings. After generating a local certificate, the entry in Subject Alternative Name is Type: IP Address and IP: 192.168.1.1. The Common Name (CN) field is 192.168.1.1. The Trusted CA certificate that was used to sign the local certificate has been exported and installed in the PC and everything works as advertised.

However when I browse to the host name https://vigor.router, I get an browser invalid certificate warning. If I generate an additional local certificate that has a SAN as Type DNS: vigor.router as well the CN as vigor.router, all is well again as long as the SSL VPN General Setup | Server Certificate is set to the vigor.router certificate. If the Server Certificate is set to the original IP certificate I can browse successfully to https://192.168.1.1 but not https://vigor.router, and if I use the DNS certificate I can browse to https://vigor.router but not to https://192.168.1.1. I have tried a local certificate that has a combination of DNS for the SAN and IP address for the CN and visa versa, but it seems the browser ignores the CN and relies solely on the SAN.

I have read that "From a technical standpoint, every certificate issued today is effectively a SAN certificate, as the CA/B forum requires the certification authority to add the content of the common name to the SAN as well". It would appear this is not the case with a Draytek generated certificate as the SAN field only ever has a single entry. Is this something to do with how Windows 10 handles certificates or is it something wrong with the credentials presented by the router?

Is there a way to add more entries to the SAN of a Draytek generated local certificate? I've tried generating a signing request having the required additional entries using XCA and pasting the resulting PEM into the PEM format content of the certificate on the router, but it ignores the additional SAN name. How can I solve the single SAN name behaviour when I want to implement a VPN as well?

Thanks, Martyn

Please Log in or Create an account to join the conversation.