> >. New certificates should only use the subjectAltName extension. > Are any CAs actually doing that? I thought they all still included subject.CN. Yes, I think commercial CA's still do it. But that doesn't make my statement wrong :)