client certs with no subjectName only SAN
Erwann.Abalea at docusign.com
Fri Aug 16 10:47:10 UTC 2019
In the same paragraph, the sentence before the one you're quoting says "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical."
It's not possible to have a missing subject name in a certificate, the field is not OPTIONAL.
Le 15/08/2019 22:13, « openssl-users au nom de Salz, Rich via openssl-users » <openssl-users-bounces at openssl.org au nom de openssl-users at openssl.org> a écrit :
subjectAltName is rarely marked as critical; sec 220.127.116.11 of PKIX says "SHOULD mark subjectAltName as non-critical"
I can believe that OpenSSL doesn't support empty subjectName's. An empty one, with no relative disintuished name components, is not the same as not present.
More information about the openssl-users