[openssl-users] Subject CN and SANs

Viktor Dukhovni openssl-users at dukhovni.org
Mon Dec 24 23:16:17 UTC 2018

> On Dec 24, 2018, at 5:51 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:

> If a certificate identifies an Issuer, then the certificate cannot contain an empty sequence of RDNs in the Subject and still be conformant to PKIX.

Yes, CA certificates need to have a non-empty subject name if they're
to be used for signing subordinate certificates.

End-entity certificates do not need to have a non-empty subject name,
and some do not.  The usual public CAs have on the whole not yet
stopped populating CN values into the subject DN of subordinate EE
certificates, but when the DNS name in question is longer than ~64 bytes,
they have no choice but to omit the CN.

Undoubtedly a search through the CT logs would find some examples.


More information about the openssl-users mailing list