[openssl-users] Implementing deprecation of commonname and emailaddress
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Aug 17 15:15:20 UTC 2017
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
> > Remove commonName and emailAddress completely from the cnf file. They no
> > longer belong in any cert, root or intermediate CA certs, server or user
> > certs.
>
> CommonName is supplied for viewing by tools like certificate viewers.
> It should probably be a friendly name, like "Example Web Services".
RFC 5280 suggests an empty subject DN with all the desired names
in the the subject alt name extension.
> When you see a name like "example.com" in the CN, its usually a CA
> including a domain name and not a hostname.
That's nonsense.
> > For servers include something like in the cnf file:
> >
> > subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost,
> > EMAIL:postmaster at example.com
>
> Don't include an email address.
That is, don't incude unless the certificate is intended for S/MIME.
> X.509 and PKIX certificates don't really have a proper field for email
> addresses. That's why they get mashed into CommonName.
They sure do, that what's rfc822Name is for in the subject alt name
extenstion. It supports S/MIME certificates. There's even recent
work (soon to be an RFC) to internationalize this with SmtpUTF8Name...
> > Um, I can specify 'localhost' in this manner if I am on the server and
> > connecting in the browser with https://localhost ??
>
> Yes.
You can, but it is not a good idea. Since that "localhost" will
then work on every host that trusts the issuing CA. The only way
to make this reasonably secure is to have a per-host issuing CA
that's only trusted on *that* host, and *that* CA can then issue
the "localhost" certificate. All the hosts can additionally
trust other shared CAs.
> > I am looking at how to build the above line using ENV variables. It is more
> > a matter of how I do it than can I do it...
The tricky bit is creating a variable number of SAN elements, I don't
know how to do that with just environment variables. Sometimes building
a config file on the fly is the way to go.
--
Viktor.
More information about the openssl-users
mailing list