[openssl-users] Wildcard: how are they correct?

[Jakob Bohm]

Actually, for public CAs, the current standard (the CAB/F
Basic Requirements) require (a), (b) or (c), and prohibit
(d).

The prohibition on (d) is stated indirectly as a prohibition
against putting something that isn't the subjects validated
public DNS name in CN.

In practice, most public CAs use (a) for maximum backward
compatibility.

It should also be noted that it is a lot less than 20 years
since the popular GNU wget utility started looking at
subjectAltName.  Lesser known tools may have been even slower
to implement it.

On 10/10/2018 08:54, Kyle Hamilton wrote:
> If subjectAltName exists, CN= is not evaluated.  All the given
> examples should work.  (The only exceptions are validators that
> haven't been current for more than 20 years.)  None of the examples is
> correct.  CN= should not even be included in the certificate.  If it
> is, (d) is the closest to correct, if "hello world" is replaced by
> something meaningful to the identification or naming of the subject.
>
> -Kyle H
> On Tue, Oct 9, 2018 at 11:18 PM Walter H. <walter.h at mathemainzel.info> wrote:
>> Hello,
>>
>> which of these possibilities is the correct one?
>>
>> (a)  CN=*.example.com
>>       and subjectAltName = DNS:*.example.com, DNS:example.com
>>
>> (b)  CN=example.com
>>       and subjectAltName = DNS:example.com, DNS:*.example.com
>>
>> (c)  CN=example.com
>>       and subjectAltName = DNS:*.example.com, DNS:example.com
>>
>> (d)  CN=hello world
>>       and subjectAltName = DNS:example.com, DNS:*.example.com
>>
>> Thanks,
>> Walter
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded