Re: Subject CN and SANs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Dec 24, 2018, at 5:51 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:

> If a certificate identifies an Issuer, then the certificate cannot contain an empty sequence of RDNs in the Subject and still be conformant to PKIX.

Yes, CA certificates need to have a non-empty subject name if they're
to be used for signing subordinate certificates.

End-entity certificates do not need to have a non-empty subject name,
and some do not.  The usual public CAs have on the whole not yet
stopped populating CN values into the subject DN of subordinate EE
certificates, but when the DNS name in question is longer than ~64 bytes,
they have no choice but to omit the CN.

Undoubtedly a search through the CT logs would find some examples.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux