Understanding Security+ Question

[netsurfer802]

I'm studying for the Security+ certification and don't really understand an answer to the question (see below). I've tried searching online and can't seem to find a clear answer on what a certificate CN is and what an A record is...can somebody please explain?...

Which of the following is true when Sara, a user, browsing to an HTTPS site receives the

message: 'Site name mismatch'?

A. The certificate CN is different from the site DNS A record.

B. The CA DNS name is different from the root certificate CN.

C. The certificate was issued by the intermediate CA and not by the root CA.

D. The certificate file name is different from the certificate CN.

Answer: A

[Innuendo]

I'm taking my Security+ course in college right now so maybe I can help.

What answer A is basically telling you is that the Certificate Name (the web site name the certificate was issued to) does not match the host record (the web site name that Sara is visiting) on the DNS server.

Example: Sara types https://www.bobs-web-site.org into her browser and when she gets there her browser finds an SSL certificate issued to stans-web-site.net.

Does this help?

[Snake89]

This goes into alot more detail:

http://technet.microsoft.com/en-us/library/dd891009.aspx

Just in case u wanna read more into it.

[+BudMan MVC]

I don't like the wording of the answer --- the dns record might not even come into play, What if the user is using a host file? Or what if user is accessing site via netbios name on a local lan?

Better wording might of been CN does not match url used to access site. Maybe the user accessed site via http:\\ipaddress

A dns A record is an IP for a host name in a specific zone - so again wording is not correct for what they are wanting you to understand.

What if going to www.domainx.com which is a cname that points to www.domainb.com, etc. No A record for the FQDN (fully qualified domain name) the user used to access the site. There would be an A record for www.domainb.com, but no A record for where you went.

CN stands for common name, which is a field on the cert when generated.

if you get a mismatch error, all its telling you use the URL in your browser does not match the common name on the cert. Saying it does not match the A record is not really accurate since they don't even say how the user accessed the site. Could of been via IP or netbios name, etc.

Not sure what material your using - but seems from your multiple questions in the past, its not a very good resource.