Actually, per the latest CA/Browser forum guidelines, subject.CN is not only optional but “discouraged”. -FG > On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote: > > SubjectCN is an operational requirement of X.509, I believe. It's not > optional in the data structure, at any rate. > > -Kyle H > >> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <mcr@xxxxxxxxxxxx> wrote: >> >> >> Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote: >>> Putting the DNS name in the CN part of the subjectDN has been >>> deprecated for a very long time (more than 10 years), although it >>> is still supported by many existing browsers. New certificates >>> should only use the subjectAltName extension. >> >> Fair enough. >> >> It seems that the "openssl ca" mechanism still seem to want a subjectDN >> defined. Am I missing some mechanism that would let me omit all of that? Or >> is a patch needed to kill what seems like a current operational requirement? >> >> -- >> ] Never tell me the odds! | ipv6 mesh networks [ >> ] Michael Richardson, Sandelman Software Works | IoT architect [ >> ] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [ >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
