[openssl-users] Subject CN and SANs

Viktor Dukhovni openssl-users at dukhovni.org
Sun Dec 23 19:11:48 UTC 2018 

> On Dec 23, 2018, at 10:21 AM, Michael Richardson <mcr at sandelman.ca> wrote:
> 
> It seems that the "openssl ca" mechanism still seem to want a subjectDN
> defined.  Am I missing some mechanism that would let me omit all of that?  Or
> is a patch needed to kill what seems like a current operational requirement?

It is not a matter of "openssl ca".  An X.509 certificate has a subjectDN,
that's a required part of the certificate structure.  However, a "DN" is a
SEQUENCE of "RDNs", and that sequence can be empty, for example (requires "bash"):

  $ openssl req -config <(
          printf "%s\n[dn]\n%s\n[ext]\n%s\n" \
            "distinguished_name = dn" \
            "prompt = yes" \
	    "$(printf "subjectAltName = DNS:%s\n" "example.com")"
          ) \
        -extensions ext -new -newkey rsa:1024 -nodes -keyout /dev/null \
        -x509 -subj / 2>/dev/null |
      openssl x509 -noout -text -certopt no_pubkey,no_sigdump
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              47:37:cb:39:a4:9c:be:c2:ea:42:2f:ed:e2:df:bc:62:bb:2b:cb:dd
          Signature Algorithm: sha256WithRSAEncryption
          Issuer: 
          Validity
              Not Before: Dec 23 18:56:08 2018 GMT
              Not After : Jan 22 18:56:08 2019 GMT
          Subject: 
          X509v3 extensions:
              X509v3 Subject Alternative Name: 
                  DNS:example.com

Note the empty subjectDN and issuerDN.  The latter violates RFC5280, but
will suffice for this example.  An RFC compliant *self-signed* certificate
needs to have a non-empty issuer name, so it could be something like:

  $ openssl req -config <(
          printf "%s\n[dn]\n%s\n[ext]\n%s\n" \
            "distinguished_name = dn" \
            "prompt = yes" \
	    "$(printf "subjectAltName = DNS:%s\n" "example.com")"
          ) \
        -extensions ext -new -newkey rsa:1024 -nodes -keyout /dev/null \
        -x509 -subj "/O=Self" 2>/dev/null |
      openssl x509 -noout -text -certopt no_pubkey,no_sigdump
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              6b:f0:9e:6c:ff:27:f3:cb:eb:79:10:6d:ac:9a:c2:54:e4:78:06:b0
          Signature Algorithm: sha256WithRSAEncryption
          Issuer: O = Self
          Validity
              Not Before: Dec 23 19:08:51 2018 GMT
              Not After : Jan 22 19:08:51 2019 GMT
          Subject: O = Self
          X509v3 extensions:
              X509v3 Subject Alternative Name: 
                  DNS:example.com

with an actual CA, the subject could be empty, and the issuer will be the
CA's DN.

-- 
	Viktor.

More information about the openssl-users mailing list