[openssl-users] Subject CN and SANs

Kyle Hamilton aerowolf at gmail.com
Sun Dec 23 23:01:02 UTC 2018


You're right, I typoed.  SubjectDN is non-optional.  But it can, as
you mentioned, be an empty sequence.

But for PKIX purposes, it can't be empty if it's an Issuer (because
IssuerDN can't be empty in the certificates that it issues).

-Kyle H

On Sun, Dec 23, 2018 at 3:35 PM Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
>
>
> > On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
> >
> > SubjectCN is an operational requirement of X.509, I believe.
>
> You're confusing the DN and the CN.
>
> >  It's not optional in the data structure, at any rate.
>
> The subjectDN is not optional, but it can be empty sequence, and
> is empty for domains whose name exceeds the CN length limit of either
> 63 or 64 characters (can't recall which of the two just now, but that
> is not important).
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list