Re: Subject CN and SANs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Actually, per the latest CA/Browser forum guidelines, subject.CN is not only optional but “discouraged”.

-FG

> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:
> 
> SubjectCN is an operational requirement of X.509, I believe.  It's not
> optional in the data structure, at any rate.
> 
> -Kyle H
> 
>> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <mcr@xxxxxxxxxxxx> wrote:
>> 
>> 
>> Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
>>> Putting the DNS name in the CN part of the subjectDN has been
>>> deprecated for a very long time (more than 10 years), although it
>>> is still supported by many existing browsers. New certificates
>>> should only use the subjectAltName extension.
>> 
>> Fair enough.
>> 
>> It seems that the "openssl ca" mechanism still seem to want a subjectDN
>> defined.  Am I missing some mechanism that would let me omit all of that?  Or
>> is a patch needed to kill what seems like a current operational requirement?
>> 
>> --
>> ]               Never tell me the odds!                 | ipv6 mesh networks [
>> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
>> ]     mcr@xxxxxxxxxxxx  http://www.sandelman.ca/        |   ruby on rails    [
>> 
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux