Order of SAN entries

Miesepies · October 19, 2020, 2:44pm

I have a certificate with 4 SAN entries added in the ordered as listed:

mail.company.nl [primary]
mail.company.be
autodiscover.company.nl
autodiscover.company.be

But if I look at the certificate the order listed in the SAN field is the opposite, so starting with “autodiscover.company.be” end ending with “mail.company.nl”.

Is this because of how Certify handles the request, or Let’s Encrypt?

Normally this shouldn’t be an issue, however Microsoft did a terrible job with their SMTP server service. This service tries to find a suitable certificate and doesn’t offer any configuration, and I read somewhere that it will only check the first entry of the SAN field.

webprofusion · October 20, 2020, 12:11am

That’s an interesting one! It seems like something that would have already been reported to us by now if that was an issue? Yes, we probably sort alphabetically somewhere and I suspect Let’s Encrypt do as well.

Which version/product are you using - is it Microsoft Exchange 2016?

Miesepies · October 20, 2020, 11:04am

No, not Exchange. Its the SMTP service which is an feature in Windows Server. I use that as an relay/proxy for our internal mail server.

I found this in a recent post on a forum:

By the way, I found Microsoft has a bug in the code of the smtpsvc service. If you use a certificate with Subject Alternative Names (SAN), when it searches for suitable certificate it does not check Commmon Name (CN), it checks the first entry in SAN list only! If the first SAN matches the FQDN entered on tab Delivery, button Advanced…, in the field Fully-qualified domain name, smtpsvc will use the certificate. If matching name is in CN or in the second, third, etc. place in SAN list, it will not use the certificate and log

The SMTP service offers no configurable settings for certificates, but decides which to use based on fqdn in thhe CN or SAN. And this is still valid for the service in Windows 2019 (I really need to find a good alternative).

webprofusion · October 20, 2020, 12:07pm

Ah ok, well if the service can only see one san entry just create one managed certificate with just that name and use that just for that service, you can create other managed certs for other services.

Miesepies · October 22, 2020, 8:54pm

I think I’ll try that, thanks.