client certs with no subjectName only SAN

Viktor Dukhovni openssl-users at
Fri Aug 16 12:41:37 UTC 2019

> On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users <openssl-users at> wrote:
> subjectAltName is rarely marked as critical; sec of PKIX says "SHOULD mark subjectAltName as non-critical"

This is wrong.  When the subject DN is empty, the subjectAltName should be
marked as critical.  IIRC some Java implementations reject the certificate

> I can believe that OpenSSL doesn't support empty subjectName's.  An empty one, with no relative disintuished name components, is not the same as not present.

OpenSSL supports empty (empty RDN sequence) subject DNs.
The "-subj /" option is one way to make that happen.

Empty is of course different from "absent", which is not
possible, since the subject DN is a required component of
an X.509 certificate.


More information about the openssl-users mailing list