If subjectAltName exists, CN= is not evaluated. All the given examples should work. (The only exceptions are validators that haven't been current for more than 20 years.) None of the examples is correct. CN= should not even be included in the certificate. If it is, (d) is the closest to correct, if "hello world" is replaced by something meaningful to the identification or naming of the subject. -Kyle H On Tue, Oct 9, 2018 at 11:18 PM Walter H. <walter.h@xxxxxxxxxxxxxxxxx> wrote: > > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
