AAtsushi's Blog
Security

Subject Alternative Names

→ 日本語版を読む

I had no idea Subject Alternative Names were a thing...

When using a self-signed certificate with Tableau Prep, the documentation says to include a Subject Alternative Name — which left me puzzled. After looking it up, it turns out that hostname matching is done via the Subject Alternative Name rather than the Common Name.

Reference:

【Illustrated】How TLS SNI Works Differences from SANs, CN, and Wildcards | SE's Milestone

The hostname indicated by a certificate is commonly known through the "Common Name" within the Subject attribute, but today SANs (Subject Alternative Names) are the mainstream approach. It is also called the "Subject's Alternate Name."

Chrome and similar browsers have declared that they "ignore the Subject attribute (i.e., do not look at the Common Name within it) and perform verification using SANs only."

SANs were originally intended as a replacement for "Subject ≈ Common Name," serving as names separate from the Common Name that are permitted for use as URLs. As described above, however, SANs are now primarily used for checking whether a site is legitimate or fraudulent.

Tableau Prep reference:

Blank Tableau Server Sign-In Dialog When Using Self-Signed Certificate | Tableau Software