client certs with no subjectName only SAN

Robert Moskowitz rgm at htt-consult.com
Thu Aug 15 20:27:22 UTC 2019 


On 8/15/19 4:13 PM, Salz, Rich wrote:
> subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark subjectAltName as non-critical"

Fine with me.

> I can believe that OpenSSL doesn't support empty subjectName's.  An empty one, with no relative disintuished name components, is not the same as not present.

It does seem empty with that -subj / command line option.

I am not seeing subjectName in this dump of the cert:

$    openssl asn1parse -i -in $dir/certs/device1.cert.pem
     0:d=0  hl=4 l= 439 cons: SEQUENCE
     4:d=1  hl=4 l= 361 cons:  SEQUENCE
     8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
    10:d=3  hl=2 l=   1 prim:    INTEGER           :02
    13:d=2  hl=2 l=   9 prim:   INTEGER           :C98FB27BE19574CF
    24:d=2  hl=2 l=   5 cons:   SEQUENCE
    26:d=3  hl=2 l=   3 prim:    OBJECT            :ED25519
    31:d=2  hl=2 l=  29 cons:   SEQUENCE
    33:d=3  hl=2 l=  27 cons:    SET
    35:d=4  hl=2 l=  25 cons:     SEQUENCE
    37:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
    42:d=5  hl=2 l=  18 prim:      UTF8STRING :2001:24:28:14::/64
    62:d=2  hl=2 l=  30 cons:   SEQUENCE
    64:d=3  hl=2 l=  13 prim:    UTCTIME           :190815195117Z
    79:d=3  hl=2 l=  13 prim:    UTCTIME           :200824195117Z
    94:d=2  hl=2 l=   0 cons:   SEQUENCE
    96:d=2  hl=2 l=  42 cons:   SEQUENCE
    98:d=3  hl=2 l=   5 cons:    SEQUENCE
   100:d=4  hl=2 l=   3 prim:     OBJECT            :ED25519
   105:d=3  hl=2 l=  33 prim:    BIT STRING
   140:d=2  hl=3 l= 226 cons:   cont [ 3 ]
   143:d=3  hl=3 l= 223 cons:    SEQUENCE
   146:d=4  hl=2 l=   9 cons:     SEQUENCE
   148:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Basic 
Constraints
   153:d=5  hl=2 l=   2 prim:      OCTET STRING      [HEX DUMP]:3000
   157:d=4  hl=2 l=  17 cons:     SEQUENCE
   159:d=5  hl=2 l=   9 prim:      OBJECT            :Netscape Cert Type
   170:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:030205A0
   176:d=4  hl=2 l=  51 cons:     SEQUENCE
   178:d=5  hl=2 l=   9 prim:      OBJECT            :Netscape Comment
   189:d=5  hl=2 l=  38 prim:      OCTET STRING      [HEX 
DUMP]:16244F70656E53534C2047656E65726174656420436C69656E74204365727469666963617465
   229:d=4  hl=2 l=  29 cons:     SEQUENCE
   231:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Subject Key 
Identifier
   236:d=5  hl=2 l=  22 prim:      OCTET STRING      [HEX 
DUMP]:041497B0DCA27493CF765E826C089C467383D3868E9A
   260:d=4  hl=2 l=  31 cons:     SEQUENCE
   262:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Authority 
Key Identifier
   267:d=5  hl=2 l=  24 prim:      OCTET STRING      [HEX 
DUMP]:30168014B145189B33826C7429692A15933B1C31D237D6CA
   293:d=4  hl=2 l=  14 cons:     SEQUENCE
   295:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Key Usage
   300:d=5  hl=2 l=   1 prim:      BOOLEAN           :255
   303:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:030205E0
   309:d=4  hl=2 l=  29 cons:     SEQUENCE
   311:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Extended 
Key Usage
   316:d=5  hl=2 l=  22 prim:      OCTET STRING      [HEX 
DUMP]:301406082B0601050507030206082B06010505070304
   340:d=4  hl=2 l=  27 cons:     SEQUENCE
   342:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Subject 
Alternative Name
   347:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX 
DUMP]:301287102001002400280014B8AF2789CBB9F7AC
   369:d=1  hl=2 l=   5 cons:  SEQUENCE
   371:d=2  hl=2 l=   3 prim:   OBJECT            :ED25519
   376:d=1  hl=2 l=  65 prim:  BIT STRING

More information about the openssl-users mailing list