Multi-valued RDN in Subject Alternative Name extension
Williams, Gareth
gareth at garethwilliams.me.uk
Sat Jun 20 10:11:24 UTC 2020
On Sat, 20 Jun 2020 at 10:21, Michael Ströder <michael at stroeder.com> wrote:
>
> On 6/18/20 9:12 AM, Williams, Gareth wrote:
> > I can successfully add a multi-value RDN to the Subject of a
> > certificate request using the + format in the config file:
> > [..]
> > However, if I add a SAN to the request:
> > [..]
> > the resulting request has them as separate RDNs (as if the + is not
> > noticed).
> Probably not the answer you were expecting:
>
> In general multi-valued RDNs are a can of worms. Even if you solve this
> particular step within OpenSSL you might run into many more issues with
> other components using the certs.
>
> => I'd strongly recommend to avoid multi-valued RDNs.
>
> Sometimes people want to make the subject DN unique by adding attributes
> to the RDN. But those attribute values would have to be unique in a
> certain scope anyway to achieve that. C (country ISO code) does not look
> like a good candiate for that. Or did you just use that as demo example?
>
Thanks for the response.
I chose the country attribute simply as an example.
I stumbled upon this while testing something else, so thought I’d ask
the question. Your pragmatic answer is fine by me as I had no real
use case – just a matter of curiosity.
Thanks again,
Gareth
More information about the openssl-users
mailing list