client certs with no subjectName only SAN

Robert Moskowitz rgm at
Fri Aug 16 12:20:18 UTC 2019

On 8/16/19 7:58 AM, Salz, Rich wrote:
>>     In the same paragraph, the sentence before the one you're quoting says "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical."

I will run another test today and see if it is as easy as claimed to 
flag SAN critical.

>>     It's not possible to have a missing subject name in a certificate, the field is not OPTIONAL.

I was wondering more the construction of the cert when 'no 
subjectName'.  You confirmed that the object is there. Probably length 
0.  I will have to look at that asnparse listing more critically.

> You are of course correct.  Thanks Erwann.  (He has forgotten more about ASN1 than I ever knew :)

Why I ask, perhaps seemingly dumb questions, here.  Those that really 
know the stuff are still around.

I learned enough ASN1 to get by with x.509 and snmp and have forgotten 
much of what I learned ~20 years ago.  I do have an iana enterprise 
number that I used in some of my OID proposals in both way back then.

The failing read access really bites.

thanks both of you.

More information about the openssl-users mailing list