On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > I have skimmed through a few RFCs following today's postings and a few web > sites. It would seem to me that I should: > > Remove commonName and emailAddress completely from the cnf file. They no > longer belong in any cert, root or intermediate CA certs, server or user > certs. CommonName is supplied for viewing by tools like certificate viewers. It should probably be a friendly name, like "Example Web Services". Don't include hostnames in the CN. If you list it in the CN, then it must be listed in the SAN, too. You must list it twice. When you see a name like "example.com" in the CN, its usually a CA including a domain name and not a hostname. It confusing for users and user agents. I've seen user agents match a hostname based on the domain name. On the backend, there's usually a redirect for the domain example.com to send user agents to a host like www.example.com. It happens up at layer 7, not at layer 4. > For servers include something like in the cnf file: > > subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost, > EMAIL:postmaster@xxxxxxxxxxx Don't include an email address. X.509 and PKIX certificates don't really have a proper field for email addresses. That's why they get mashed into CommonName. > (That is all suppose to be on a single line in case your mail viewer wraps > it). > > Um, I can specify 'localhost' in this manner if I am on the server and > connecting in the browser with https://localhost ?? Yes. You can also put IP addresses there. The RFC's mostly allow it. The CA/Browser Forum Baseline Requirements (CA/B BR) forbids it, but its not clear (to me) what current browser behavior is. For completeness, non-browser user agents, like wget and openssl, follow the RFC standards and issuing policies. Browsers follow the CA/B BR. That's why you often see browsers reject something accepted by other user agents. You might also be interested in https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898 and https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl. They questions and answers reference about 6 different standards. > And for clients: > > subjectAltName = EMAIL:user@xxxxxxxxxxx > > I am looking at how to build the above line using ENV variables. It is more > a matter of how I do it than can I do it... This is a whole 'nother can of worms. Also see https://security.stackexchange.com/questions/62746/how-to-encode-a-username-in-pkix-certificate. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users