Certificate Common Name (CN) Field Explained

The Common Name (CN) is a field in the certificate's Subject distinguished name (DN). Historically, the CN field held the primary domain name the certificate was issued for (e.g., CN: www.example.com). It remains visible in decoded certificates but is no longer used by browsers for hostname validation.

History: CN Was the Original Hostname Field

In the early days of TLS, the CN field in the Subject was the only place a domain name appeared in a certificate. Browsers matched the CN against the hostname in the URL bar. As certificates started covering multiple domains (wildcards, multi-domain), this became inadequate — CN could only hold one value.

SAN Replaced CN for Hostname Matching

RFC 2818 (HTTP over TLS, 2000) recommended that browsers prefer the SAN extension over CN for hostname matching. The CA/Browser Forum's Baseline Requirements eventually required CAs to include the domain in the SAN, and in 2017 Chrome stopped accepting certificates that only had a hostname in the CN. Firefox followed. Today, a certificate must list the domain in the SAN to be trusted.

What CN Is Used for Today

The CN field in TLS server certificates today is essentially a human-readable label. It typically mirrors the primary domain name (the first SAN entry), but some CAs use a wildcard or the organization name. The CN is not verified by browsers for hostname purposes — only the SANs are.

CN in Non-TLS Certificates

In client certificates and code signing certificates, CN typically identifies the person, device, or software. In CA certificates, CN identifies the CA's name. In these contexts, CN is still meaningful and used for identification — just not for TLS hostname validation.