[openssl-users] Throwing in the towel on ENV for DN

Viktor Dukhovni openssl-users at dukhovni.org
Fri Aug 18 13:17:18 UTC 2017

On Fri, Aug 18, 2017 at 08:48:07AM -0400, Jeffrey Walton wrote:

> If this is a private PKI, then you can do things like that.
> But I believe you need a distinguished name if you are following the
> RFCs. Maybe you can modify your script to stuff the principal name
> from the SAN in the DN somewhere.

The subject DN is allowed (and indeed recommended in RFC 5280) to
be an empty RDN sequence (with the subject alt name extension
marked critical, and holding the relevant names, in practice
not marking critical works just as well).

The issuer DN is the CA's subject name and is fixed, so not
the OP's problem.


More information about the openssl-users mailing list