SSL & Certificates

Subject Alternative Names & the Mismatch Trap

The single most common HTTPS error isn't an expired certificate. It's a perfectly valid, perfectly trusted certificate that simply doesn't list the hostname the visitor typed. The list it should have been on is the Subject Alternative Name — and the “Common Name” field that everyone instinctively checks has been ignored by browsers for years.

~6 min read Intermediate SSL & Certificates

TL;DR

A certificate is valid only for the hostnames listed in its Subject Alternative Name (SAN) field. Browsers have ignored the old Common Name (CN) entirely since 2017. example.com and www.example.com are different names — both must be in the SAN, or one of them throws a certificate error even though the cert is otherwise fine.

CN is dead; long live SAN

Early TLS certificates identified their site with a single field, the Common Name — one hostname, like www.example.com. That fell apart as soon as sites needed to be reachable under more than one name, so the Subject Alternative Name extension was added: a list of hostnames the certificate is valid for.

For years certs carried both, and the CN duplicated the first SAN entry for compatibility. Then browsers drew a line. Chrome 58, in 2017, stopped looking at the Common Name altogether — if a hostname isn't in the SAN list, the cert is invalid for it, full stop, no matter what the CN says. Every major browser followed. The CN is now a vestigial, display-only field; the SAN is the only thing that decides validity.

How matching works

When you connect to a host over HTTPS, the browser takes the hostname from the URL and checks whether it matches any entry in the certificate's SAN list. The match is exact, with one wrinkle for wildcards:

A textbook mismatch: the certificate covers www and several subdomains but not the bare apex, so visitors who drop the www hit a hard error.

Wildcards cover exactly one label

A wildcard SAN like *.example.com matches one level of subdomain — and only one:

Wildcard `*.example.com`	Result
`www.example.com`	Matches — one label
`shop.example.com`	Matches — one label
`example.com` (apex)	Does not match — the wildcard needs a label to fill
`a.b.example.com`	Does not match — that's two labels deep

This is why the common, correct pattern is to put both the wildcard and the apex in the SAN: *.example.com and example.com. A wildcard alone leaves your bare domain uncovered, and a wildcard never reaches two levels deep — api.staging.example.com needs either its own entry or a *.staging.example.com wildcard.

SNI: how the server even knows which cert to send

One server IP often hosts many HTTPS sites, so before any certificate changes hands the browser announces the hostname it wants in the TLS handshake — that's Server Name Indication (SNI). The server uses the SNI value to pick which certificate to present. If SNI and your virtual-host config disagree, you can get the wrong site's certificate back — which then fails the SAN check for the name you asked for. Mismatches sometimes trace back to a misconfigured default vhost rather than the cert itself.

Single, multi-domain, and wildcard certs

Single-name — one or two SAN entries (typically apex + www). Fine for a simple site.
Multi-domain (SAN / UCC) — an explicit list of unrelated hostnames, even across different domains, on one cert. Common behind load balancers and on platforms hosting many properties.
Wildcard — one *.example.com entry covering any single-label subdomain, usually paired with the apex.

The error message names the problem. When a browser shows NET::ERR_CERT_COMMON_NAME_INVALID, it's not really about the Common Name — it means the hostname you visited wasn't in the certificate's SAN list. The most frequent cause is exactly the apex-vs-www gap above: a cert issued for www.example.com while someone visits example.com, or the reverse.

What FatDig shows you

The SSL section on the Advanced Dig lists the certificate's Subject Alt Names alongside who it was issued to and its validity window. The check that actually matters: is the specific hostname you care about — both the apex and the www, if you use both — present in that SAN list? A cert can be freshly issued, from a top-tier CA, valid for another 89 days, and still throw an error for half your visitors because one of those two names was left off. The SAN list is where you confirm it wasn't.

Try it on FatDig: dig your domain and read the Subject Alt Names in the SSL card. Are both example.com and www.example.com listed? If only one is, try loading the other in a browser — you may have a mismatch error that's been quietly turning visitors away.