[openssl-users] Implementing deprecation of commonname and emailaddress
rgm at htt-consult.com
Thu Aug 17 15:28:33 UTC 2017
thanks for the reply.
On 08/17/2017 11:15 AM, Viktor Dukhovni wrote:
> On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
>>> Remove commonName and emailAddress completely from the cnf file. They no
>>> longer belong in any cert, root or intermediate CA certs, server or user
>> CommonName is supplied for viewing by tools like certificate viewers.
>> It should probably be a friendly name, like "Example Web Services".
> RFC 5280 suggests an empty subject DN with all the desired names
> in the the subject alt name extension.
>> When you see a name like "example.com" in the CN, its usually a CA
>> including a domain name and not a hostname.
> That's nonsense.
>>> For servers include something like in the cnf file:
>>> subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost,
>>> EMAIL:postmaster at example.com
>> Don't include an email address.
> That is, don't incude unless the certificate is intended for S/MIME.
Or to provide an easy way to contact the server admin if there is a
problem/question with the cert? Even without S/MIME?
>> X.509 and PKIX certificates don't really have a proper field for email
>> addresses. That's why they get mashed into CommonName.
> They sure do, that what's rfc822Name is for in the subject alt name
> extenstion. It supports S/MIME certificates. There's even recent
> work (soon to be an RFC) to internationalize this with SmtpUTF8Name...
That is what I thought, too. Just not the full email format like:
Viktor Dukhovni <openssl-users at dukhovni.org>
>>> Um, I can specify 'localhost' in this manner if I am on the server and
>>> connecting in the browser with https://localhost ??
> You can, but it is not a good idea. Since that "localhost" will
> then work on every host that trusts the issuing CA. The only way
> to make this reasonably secure is to have a per-host issuing CA
> that's only trusted on *that* host, and *that* CA can then issue
> the "localhost" certificate. All the hosts can additionally
> trust other shared CAs.
So better to provide a self-signed cert if a server is going to be
accessed from a browser on the server via https://localhost
>>> I am looking at how to build the above line using ENV variables. It is more
>>> a matter of how I do it than can I do it...
> The tricky bit is creating a variable number of SAN elements, I don't
> know how to do that with just environment variables. Sometimes building
> a config file on the fly is the way to go.
The simplest that I have come up with is:
export SAN = "DNS:example.com, DNS:www.example.com,
EMAIL:postmaster at example.com"
and in the cnf
subjectAltName = $SAN
I think. I am not yet up to testing this....
More information about the openssl-users