[openssl-users] Implementing deprecation of commonname and emailaddress

Robert Moskowitz rgm at htt-consult.com
Thu Aug 17 15:28:33 UTC 2017


thanks for the reply.

On 08/17/2017 11:15 AM, Viktor Dukhovni wrote:
> On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
>>> Remove commonName and emailAddress completely from the cnf file. They no
>>> longer belong in any cert, root or intermediate CA certs, server or user
>>> certs.
>> CommonName is supplied for viewing by tools like certificate viewers.
>> It should probably be a friendly name, like "Example Web Services".
> RFC 5280 suggests an empty subject DN with all the desired names
> in the the subject alt name extension.
>> When you see a name like "example.com" in the CN, its usually a CA
>> including a domain name and not a hostname.
> That's nonsense.
>>> For servers include something like in the cnf file:
>>> subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost,
>>> EMAIL:postmaster at example.com
>> Don't include an email address.
> That is, don't incude unless the certificate is intended for S/MIME.

Or to provide an easy way to contact the server admin if there is a 
problem/question with the cert?  Even without S/MIME?

>> X.509 and PKIX certificates don't really have a proper field for email
>> addresses. That's why they get mashed into CommonName.
> They sure do, that what's rfc822Name is for in the subject alt name
> extenstion.  It supports S/MIME certificates.  There's even recent
> work (soon to be an RFC) to internationalize this with SmtpUTF8Name...

That is what I thought, too.  Just not the full email format like:

Viktor Dukhovni <openssl-users at dukhovni.org>

>>> Um, I can specify 'localhost' in this manner if I am on the server and
>>> connecting in the browser with https://localhost ??
>> Yes.
> You can, but it is not a good idea.  Since that "localhost" will
> then work on every host that trusts the issuing CA.  The only way
> to make this reasonably secure is to have a per-host issuing CA
> that's only trusted on *that* host, and *that* CA can then issue
> the "localhost" certificate.  All the hosts can additionally
> trust other shared CAs.

So better to provide a self-signed cert if a server is going to be 
accessed from a browser on the server via https://localhost

>>> I am looking at how to build the above line using ENV variables. It is more
>>> a matter of how I do it than can I do it...
> The tricky bit is creating a variable number of SAN elements, I don't
> know how to do that with just environment variables.  Sometimes building
> a config file on the fly is the way to go.
The simplest that I have come up with is:

export SAN = "DNS:example.com, DNS:www.example.com, 
EMAIL:postmaster at example.com"

and in the cnf

subjectAltName = $SAN

I think.   I am not yet up to testing this....


More information about the openssl-users mailing list