I just started to learn PKI so my question may look foolish but…
I'm confused with Subject Name and Subject Alternative Name. Let's take a simple example to explain what I mean.
When you open site mail.google.com and look at the certificate you see the following:
Issued to: mail.google.com
Issued by: Google Internet Authority G2
I made a certificate for my TS Web Access Farm and it looks like:
Issued to: Remote Desktop Web Access
Issued by: MyDomain Internal CA
I discovered that common name may not contain any host/dns names of the server and still works (at least I don't see any error, the certificate is OK and path is too). However, it contains SAN with DNS name. But why Google didn't do the same?
Issued to: Google Mail Services
Issued by: Google Internet Authority G2
That's the question…
Are there any limitations, restrictions, recommendations and other possible useful information what SN can (must) contain of and what can't (must not)? Why only CAs (at least I saw only CA certificate with "Long Subject Name") contain such names?
And the next next-door question: Are there any same limits on SAN? Are there any systems which will not work with SAN anyway? (that's why you must use FDN in SN)
Sorry that I didn't deep immersion into X509 RFCs… Not sure I'm ready to do it right now.
If i did something wrong, please correct me. Thanks in advance.