[sigsergv]

Thanks for sharing, this kind of information is really rare and useful because A LOT of (techincal) people just don't understand PKI and certificates properly.

Also you've mentioned in the section “Naming things” that DN is deprecated, strictly speaking it's not. The Subject field is deprecated when browser matches certificate with domain, DN is still perfectly valid and Subject field MUST contain a proper DN as stated in https://tools.ietf.org/html/rfc5280#section-4.1.2.6.

[juhanima]

Actually it seems there is a mixup in the original text between DN (Distinguished Name) and CN (Common Name). The former is a generic term for a structured X.500 name, the latter a specific field in the Subject Name of a certificate, which is technically a DN.

The convention used to be that the CN field must match the DNS name of the server in a server TLS certificate, but this feature is indeed deprecated and the DNS name extension should be used instead.

[smartbit]

Some SANs are more equal than others