[openssl-users] Subject CN and SANs
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Dec 23 23:33:41 UTC 2018
> On Dec 23, 2018, at 6:01 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
>
> You're right, I typoed. SubjectDN is non-optional. But it can, as
> you mentioned, be an empty sequence.
>
> But for PKIX purposes, it can't be empty if it's an Issuer (because
> IssuerDN can't be empty in the certificates that it issues).
That's an odd use of "it", since the issuerDN while also a DN is not
a subjectDN. The "it" that is the subjectDN is sometimes legitimately
empty. The other "it" that is the issuerDN is supposed to always be
non-empty, but some self-signed certificates violate that requirement
with apparent impunity, e.g. nothing in OpenSSL requires a non-empty
issuer DN in an end-entity self-signed certificate, if it breaks, the
constraint would be at the application layer.
--
Viktor.
More information about the openssl-users
mailing list