> Le 17 août 2017 à 17:26, Jeffrey Walton <noloader@xxxxxxxxx> a écrit : > >>> When you see a name like "example.com" in the CN, its usually a CA >>> including a domain name and not a hostname. >> >> That's nonsense. > > If a certificate is issued under CA/B policies, and CN=example.com but > it _lacks_ SAN=example.com, then its a not a hostname and it should > not be matched. Such a certificate would be mis-issued and be revoked immediately. CN MUST be an FQDN (or a wild carded FQDN, or an IP address), and a copy of the value in CN MUST be present in the SAN extension. Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
