[openssl-users] Subject CN and SANs

chris.gray at kiffer.be chris.gray at kiffer.be
Mon Dec 24 09:59:43 UTC 2018


A bit off-topic but is it also a good idea to follow these guidelines in
non-browser use cases, for example for a client certificate which is used
to autenticate on a TLS connection which will be used for another protocol
such as MQTT? In this case the SubjectCN looks like a "natural" place to
put the client's identity, but maybe it is still better to use
subjectAltName?

 - Chris

> Actually, per the latest CA/Browser forum guidelines, subject.CN is not
> only optional but “discouraged”.
>
> -FG
>
>> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
>>
>> SubjectCN is an operational requirement of X.509, I believe.  It's not
>> optional in the data structure, at any rate.
>>
>> -Kyle H
>>
>>> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <mcr at sandelman.ca>
>>> wrote:
>>>
>>>
>>> Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:
>>>> Putting the DNS name in the CN part of the subjectDN has been
>>>> deprecated for a very long time (more than 10 years), although it
>>>> is still supported by many existing browsers. New certificates
>>>> should only use the subjectAltName extension.
>>>
>>> Fair enough.
>>>
>>> It seems that the "openssl ca" mechanism still seem to want a subjectDN
>>> defined.  Am I missing some mechanism that would let me omit all of
>>> that?  Or
>>> is a patch needed to kill what seems like a current operational
>>> requirement?
>>>
>>> --
>>> ]               Never tell me the odds!                 | ipv6 mesh
>>> networks [
>>> ]   Michael Richardson, Sandelman Software Works        |    IoT
>>> architect   [
>>> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
>>> rails    [
>>>
>>> --
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>




More information about the openssl-users mailing list