What is a SAN certificate?

Subject Alternative Name allows one certificate to cover multiple domains (example.com, www.example.com, api.example.com).

Can a wildcard cert cover the base domain?

No. *.example.com covers www.example.com and sub.example.com but NOT example.com itself. You need to include the base domain separately.

Browser NET::ERR_CERT_COMMON_NAME_INVALID — SSL Name Mismatch

Errorgeneral browser

Overview

NET::ERR_CERT_COMMON_NAME_INVALID means the SSL certificate domain name does not match the website URL you are visiting.

Key Details

SSL certificates are issued for specific domain names
The certificate must match the URL domain exactly or via wildcard
Example: cert for *.example.com does not cover example.com (no subdomain)
All major browsers show this error, though the code name varies
Chrome shows 'Your connection is not private' with this error code

Common Causes

SSL certificate issued for www.example.com but accessed via example.com
Website using a shared hosting certificate for a different domain
Certificate SAN (Subject Alternative Name) does not include the accessed domain
Corporate proxy rewriting HTTPS with its own certificate
Website recently changed domains without updating the certificate

Steps

1Check if adding or removing 'www.' from the URL fixes it
2Click the padlock > Certificate > check what domain the certificate was issued for
3If you own the site, reissue the certificate to include all needed domains (with and without www)
4Use Let's Encrypt certbot with: certbot --expand -d example.com -d www.example.com
5If a corporate proxy causes this, add the proxy certificate to your browser trust store

More in General Browser

browser-service-worker-errorBrowser Service Worker Registration Failed Error

Warning

Frequently Asked Questions

The connection is encrypted but the certificate does not match the domain. It could be a misconfigured server or a man-in-the-middle. Do not enter sensitive data.