alt Hacker News> How do you verify the common name/subject alt name actually matches when using a client cert.
This seems exactly like a reason to use client certs with public CAs.
You (as in, the server) cannot verify this at all, but a public CA could.
> How do you verify the common name/subject alt name actually matches when using a client cert.
This seems exactly like a reason to use client certs with public CAs.
You (as in, the server) cannot verify this at all, but a public CA could.
A public CA checks it one-time, when it's being issued. Most/all mTLS use-cases don't do any checking of the client cert in any capacity. Worse still, some APIs (mainly for finance companies) require things like OV and EV, but of course they couldn't check the Subject DN if they wanted to.
If it's for auth, issue it yourself and don't rely on a third-party like a public CA.