[openssl-users] Subject CN and SANs
chris.gray at kiffer.be
chris.gray at kiffer.be
Mon Dec 24 09:59:43 UTC 2018
A bit off-topic but is it also a good idea to follow these guidelines in
non-browser use cases, for example for a client certificate which is used
to autenticate on a TLS connection which will be used for another protocol
such as MQTT? In this case the SubjectCN looks like a "natural" place to
put the client's identity, but maybe it is still better to use
subjectAltName?
- Chris
> Actually, per the latest CA/Browser forum guidelines, subject.CN is not
> only optional but âdiscouragedâ.
>
> -FG
>
>> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
>>
>> SubjectCN is an operational requirement of X.509, I believe. It's not
>> optional in the data structure, at any rate.
>>
>> -Kyle H
>>
>>> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <mcr at sandelman.ca>
>>> wrote:
>>>
>>>
>>> Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:
>>>> Putting the DNS name in the CN part of the subjectDN has been
>>>> deprecated for a very long time (more than 10 years), although it
>>>> is still supported by many existing browsers. New certificates
>>>> should only use the subjectAltName extension.
>>>
>>> Fair enough.
>>>
>>> It seems that the "openssl ca" mechanism still seem to want a subjectDN
>>> defined. Am I missing some mechanism that would let me omit all of
>>> that? Or
>>> is a patch needed to kill what seems like a current operational
>>> requirement?
>>>
>>> --
>>> ] Never tell me the odds! | ipv6 mesh
>>> networks [
>>> ] Michael Richardson, Sandelman Software Works | IoT
>>> architect [
>>> ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on
>>> rails [
>>>
>>> --
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
More information about the openssl-users
mailing list