Hi Hanno!
The cert was issued by our systems (DFN-PKI).
> This was pointed out by Mattias Geniar:
>
https://twitter.com/mattiasgeniar/status/924705516974112768 >
> I'm not entirely sure if the wording of the BRs forbid this (they say
> the CN field must contain a single IP or fqdn, but don't really
> consider the case that 2 CNs can be present), though this is
> clearly malformed.
I don't see why you say that this certificate is malformed. On what
basis? The BRs don't forbid this, RFC5280 doesn't forbid this.
There was even
http://wiki.cacert.org/VhostTaskForce#A2._Way:_Multiple_CommonNames_in_the_same_certificate
The author of cablint thinks multi-CN justifies a warning (I guess
because browser support of multi-CN is nowadays non-existent).
> I have informed telesec / Deutsche Telekom about this (this is
> indirectly signed by them) via their contact form.
>
> I haven't checked if other such certificates exist.
Of course do they exist.
Regards,
Jürgen