On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote: > > Remove commonName and emailAddress completely from the cnf file. They no > > longer belong in any cert, root or intermediate CA certs, server or user > > certs. > > CommonName is supplied for viewing by tools like certificate viewers. > It should probably be a friendly name, like "Example Web Services". RFC 5280 suggests an empty subject DN with all the desired names in the the subject alt name extension. > When you see a name like "example.com" in the CN, its usually a CA > including a domain name and not a hostname. That's nonsense. > > For servers include something like in the cnf file: > > > > subjectAltName = DNS:www.example.com, DNS:example.com, DNS=localhost, > > EMAIL:postmaster@xxxxxxxxxxx > > Don't include an email address. That is, don't incude unless the certificate is intended for S/MIME. > X.509 and PKIX certificates don't really have a proper field for email > addresses. That's why they get mashed into CommonName. They sure do, that what's rfc822Name is for in the subject alt name extenstion. It supports S/MIME certificates. There's even recent work (soon to be an RFC) to internationalize this with SmtpUTF8Name... > > Um, I can specify 'localhost' in this manner if I am on the server and > > connecting in the browser with https://localhost ?? > > Yes. You can, but it is not a good idea. Since that "localhost" will then work on every host that trusts the issuing CA. The only way to make this reasonably secure is to have a per-host issuing CA that's only trusted on *that* host, and *that* CA can then issue the "localhost" certificate. All the hosts can additionally trust other shared CAs. > > I am looking at how to build the above line using ENV variables. It is more > > a matter of how I do it than can I do it... The tricky bit is creating a variable number of SAN elements, I don't know how to do that with just environment variables. Sometimes building a config file on the fly is the way to go. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
