[openssl-users] CSR with multiple subject names?

Jakob Bohm jb-openssl at wisemo.com
Fri Jun 2 03:07:32 UTC 2017

On 01/06/2017 16:26, l vic wrote:
> I am working with service with TLS authn that uses subject name to 
> authenticate client.
> Is it possible to use list of subject names in client certificate so 
> that service could authenticate several clients with the same 
> key/certificate? If not, would it be possible to use alternative 
> subject names for the same purpose? Can SANs only used in the context 
> of DNS domains, eg to authenticate the same subject name calling from 
> different DNS domains?
SANs (SubjectAlternativeNames) can contain all the name types
(unlike the main Subject, which can only contain a backwards
compatible DirectoryName).

Depending on what kind of identity a server wants to identify,
good choices for user identifying SANs are:

  - rfc822Name ("user at sub.domain.tld")
  - DirectoryName (CN=First Middle Last, OU=Department, O=Example 
company, street=SomeRoad 123, L=12345 SomeCity, ST=SomeState, C=US)


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list