On Fri, Aug 18, 2017 at 08:48:07AM -0400, Jeffrey Walton wrote: > If this is a private PKI, then you can do things like that. > > But I believe you need a distinguished name if you are following the > RFCs. Maybe you can modify your script to stuff the principal name > from the SAN in the DN somewhere. The subject DN is allowed (and indeed recommended in RFC 5280) to be an empty RDN sequence (with the subject alt name extension marked critical, and holding the relevant names, in practice not marking critical works just as well). The issuer DN is the CA's subject name and is fixed, so not the OP's problem. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
