[openssl-users] Subject CN and SANs

Viktor Dukhovni openssl-users at dukhovni.org
Sun Dec 23 23:33:41 UTC 2018

> On Dec 23, 2018, at 6:01 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
> You're right, I typoed.  SubjectDN is non-optional.  But it can, as
> you mentioned, be an empty sequence.
> But for PKIX purposes, it can't be empty if it's an Issuer (because
> IssuerDN can't be empty in the certificates that it issues).

That's an odd use of "it", since the issuerDN while also a DN is not
a subjectDN.  The "it" that is the subjectDN is sometimes legitimately
empty.  The other "it" that is the issuerDN is supposed to always be
non-empty, but some self-signed certificates violate that requirement
with apparent impunity, e.g. nothing in OpenSSL requires a non-empty
issuer DN in an end-entity self-signed certificate, if it breaks, the
constraint would be at the application layer.


More information about the openssl-users mailing list