> On Dec 23, 2018, at 6:01 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote: > > You're right, I typoed. SubjectDN is non-optional. But it can, as > you mentioned, be an empty sequence. > > But for PKIX purposes, it can't be empty if it's an Issuer (because > IssuerDN can't be empty in the certificates that it issues). That's an odd use of "it", since the issuerDN while also a DN is not a subjectDN. The "it" that is the subjectDN is sometimes legitimately empty. The other "it" that is the issuerDN is supposed to always be non-empty, but some self-signed certificates violate that requirement with apparent impunity, e.g. nothing in OpenSSL requires a non-empty issuer DN in an end-entity self-signed certificate, if it breaks, the constraint would be at the application layer. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
