A bit off-topic but is it also a good idea to follow these guidelines in non-browser use cases, for example for a client certificate which is used to autenticate on a TLS connection which will be used for another protocol such as MQTT? In this case the SubjectCN looks like a "natural" place to put the client's identity, but maybe it is still better to use subjectAltName? - Chris > Actually, per the latest CA/Browser forum guidelines, subject.CN is not > only optional but â??discouragedâ??. > > -FG > >> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote: >> >> SubjectCN is an operational requirement of X.509, I believe. It's not >> optional in the data structure, at any rate. >> >> -Kyle H >> >>> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <mcr@xxxxxxxxxxxx> >>> wrote: >>> >>> >>> Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote: >>>> Putting the DNS name in the CN part of the subjectDN has been >>>> deprecated for a very long time (more than 10 years), although it >>>> is still supported by many existing browsers. New certificates >>>> should only use the subjectAltName extension. >>> >>> Fair enough. >>> >>> It seems that the "openssl ca" mechanism still seem to want a subjectDN >>> defined. Am I missing some mechanism that would let me omit all of >>> that? Or >>> is a patch needed to kill what seems like a current operational >>> requirement? >>> >>> -- >>> ] Never tell me the odds! | ipv6 mesh >>> networks [ >>> ] Michael Richardson, Sandelman Software Works | IoT >>> architect [ >>> ] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on >>> rails [ >>> >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
