client certs with no subjectName only SAN

Erwann Abalea Erwann.Abalea at
Fri Aug 16 10:47:10 UTC 2019


In the same paragraph, the sentence before the one you're quoting says "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical."

It's not possible to have a missing subject name in a certificate, the field is not OPTIONAL.

Erwann Abalea

Le 15/08/2019 22:13, « openssl-users au nom de Salz, Rich via openssl-users » <openssl-users-bounces at au nom de openssl-users at> a écrit :

    subjectAltName is rarely marked as critical; sec of PKIX says "SHOULD mark subjectAltName as non-critical"
    I can believe that OpenSSL doesn't support empty subjectName's.  An empty one, with no relative disintuished name components, is not the same as not present.

More information about the openssl-users mailing list