Ssl::verify_certificate( string|WpOrgRequestsStringable $host, array $cert ): bool

In this article

Verify the certificate against common name and subject alternative names


Unfortunately, PHP doesn’t check the certificate against the alternative names, leading things like ‘‘ to be invalid.


Host name to verify against
Certificate data from openssl_x509_parse()




public static function verify_certificate($host, $cert) {
	if (InputValidator::is_string_or_stringable($host) === false) {
		throw InvalidArgument::create(1, '$host', 'string|Stringable', gettype($host));

	if (InputValidator::has_array_access($cert) === false) {
		throw InvalidArgument::create(2, '$cert', 'array|ArrayAccess', gettype($cert));

	$has_dns_alt = false;

	// Check the subjectAltName
	if (!empty($cert['extensions']['subjectAltName'])) {
		$altnames = explode(',', $cert['extensions']['subjectAltName']);
		foreach ($altnames as $altname) {
			$altname = trim($altname);
			if (strpos($altname, 'DNS:') !== 0) {

			$has_dns_alt = true;

			// Strip the 'DNS:' prefix and trim whitespace
			$altname = trim(substr($altname, 4));

			// Check for a match
			if (self::match_domain($host, $altname) === true) {
				return true;

		if ($has_dns_alt === true) {
			return false;

	// Fall back to checking the common name if we didn't get any dNSName
	// alt names, as per RFC2818
	if (!empty($cert['subject']['CN'])) {
		// Check for a match
		return (self::match_domain($host, $cert['subject']['CN']) === true);

	return false;

User Contributed Notes

You must log in before being able to contribute a note or feedback.