I have experienced that certificate validation will fail if the peer identity certificate has SAN field holding DNS of another identity while the correct DNS is in CN.
In other words, CN is ignored when SAN extension exists.
I am trying to figure out if this is correct according to specification.
Referring to RFC5280 section-184.108.40.206) Subject Alternative Name
"The subject alternative name extension allows identities to be bound
to the subject of the certificate. These identities may be included
in addition to or in place of the identity in the subject field of
the certificate. "
“Whenever such identities are to be bound into a certificate, the subject alternative name (or issuer alternative name) extension MUST be used”
I think this is not clear in the description. Is it correct behavior to reject certificate if SAN field is preset but identity is not part of SAN list - but is held in subject.
Thanks in advance