[openssl-users] Subject CN and SANs
Felipe Gasper
felipe at felipegasper.com
Sun Dec 23 21:50:58 UTC 2018
Actually, per the latest CA/Browser forum guidelines, subject.CN is not only optional but “discouraged”.
-FG
> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
>
> SubjectCN is an operational requirement of X.509, I believe. It's not
> optional in the data structure, at any rate.
>
> -Kyle H
>
>> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <mcr at sandelman.ca> wrote:
>>
>>
>> Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:
>>> Putting the DNS name in the CN part of the subjectDN has been
>>> deprecated for a very long time (more than 10 years), although it
>>> is still supported by many existing browsers. New certificates
>>> should only use the subjectAltName extension.
>>
>> Fair enough.
>>
>> It seems that the "openssl ca" mechanism still seem to want a subjectDN
>> defined. Am I missing some mechanism that would let me omit all of that? Or
>> is a patch needed to kill what seems like a current operational requirement?
>>
>> --
>> ] Never tell me the odds! | ipv6 mesh networks [
>> ] Michael Richardson, Sandelman Software Works | IoT architect [
>> ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list