client certs with no subjectName only SAN

Robert Moskowitz rgm at htt-consult.com
Thu Aug 15 20:06:48 UTC 2019


There are a number of things I am not clear on, and so far my searching 
and reading is coming up short.

If there is no subjectName, only subjectAltName, is the subjectName 
still present in the cert only empty or is it totally gone.

I have found that if I put

-subj /

in the openssl req, I end up with an empty subjectName.  Or is there 
someway to totally remove this from the cert?

For the subjectAltName, is it suppose to be flagged critical?  I have 
seen references of:

subjectAltName=critical,email:certtest at example.com

Is this correct and the way to set SAN as critical?

thanks

The cert I have made so far is:

$openssl x509 -noout -text -in $dir/certs/device1.cert.pem
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             c9:8f:b2:7b:e1:95:74:cf
         Signature Algorithm: ED25519
         Issuer: CN = 2001:24:28:14::/64
         Validity
             Not Before: Aug 15 19:51:17 2019 GMT
             Not After : Aug 24 19:51:17 2020 GMT
         Subject:
         Subject Public Key Info:
             Public Key Algorithm: ED25519
                 ED25519 Public-Key:
                 pub:
                     7a:a6:f2:7d:14:8f:fd:a9:55:d9:6f:d6:04:a1:e6:
                     6d:9e:34:1f:d3:2b:59:80:cc:2f:4c:83:4f:81:a0:
                     10:36
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Cert Type:
                 SSL Client, S/MIME
             Netscape Comment:
                 OpenSSL Generated Client Certificate
             X509v3 Subject Key Identifier:
97:B0:DC:A2:74:93:CF:76:5E:82:6C:08:9C:46:73:83:D3:86:8E:9A
             X509v3 Authority Key Identifier:
keyid:B1:45:18:9B:33:82:6C:74:29:69:2A:15:93:3B:1C:31:D2:37:D6:CA

             X509v3 Key Usage: critical
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Client Authentication, E-mail Protection
             X509v3 Subject Alternative Name:
                 IP Address:2001:24:28:14:B8AF:2789:CBB9:F7AC
     Signature Algorithm: ED25519
          32:2e:7d:4d:ad:4d:87:4c:57:1a:df:ef:e3:ec:2b:b5:a7:fe:
          2f:48:73:32:72:1a:b6:4a:cd:e4:88:75:98:4d:b0:9a:79:48:
          2b:2c:12:68:0f:c0:86:bd:d9:4e:4b:85:fb:f3:91:68:f4:ec:
          18:99:dd:7e:d5:f8:b6:f0:08:0e



More information about the openssl-users mailing list