[openssl-users] Implementing deprecation of commonname and emailaddress

Erwann Abalea Erwann.Abalea at docusign.com
Thu Aug 17 15:34:29 UTC 2017

> Le 17 août 2017 à 17:26, Jeffrey Walton <noloader at gmail.com> a écrit :
>>> When you see a name like "example.com" in the CN, its usually a CA
>>> including a domain name and not a hostname.
>> That's nonsense.
> If a certificate is issued under CA/B policies, and CN=example.com but
> it _lacks_ SAN=example.com, then its a not a hostname and it should
> not be matched.

Such a certificate would be mis-issued and be revoked immediately. CN MUST be an FQDN (or a wild carded FQDN, or an IP address), and a copy of the value in CN MUST be present in the SAN extension.

Erwann Abalea

More information about the openssl-users mailing list