On Aug 30, 2016, at 6:28 PM, Tim Boring <tjboring at gmail.com> wrote: > When creating a CSR, openssl displays the following > > <quote> > State or Province Name (full name) [Some-State]: > </quote> ... > And a couple lines up from that is a comment pointing to RFC 3280, which defines the following: The original definition is from X.520, I suppose, which doesn't explicitly say whether abbreviations are allowed, although the example it gives is for a full name (Ohio). [1] > I'm curious about this because the openssl command will create a CSR where stateOrProvince has a two-character (U.S.) state name, and (at least one) CA (Comodo) will happily issue a cert using such a CSR. I think for ordinary domain-validated certificates, almost nothing in the Subject is actually validated or used by the browser, and I'd guess not inspected by the CA either. In situations where people actually care, the full name seems to be required for that attribute. The following language shows up in a few places via google:
