> On Dec 24, 2018, at 5:51 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote: > If a certificate identifies an Issuer, then the certificate cannot contain an empty sequence of RDNs in the Subject and still be conformant to PKIX. Yes, CA certificates need to have a non-empty subject name if they're to be used for signing subordinate certificates. End-entity certificates do not need to have a non-empty subject name, and some do not. The usual public CAs have on the whole not yet stopped populating CN values into the subject DN of subordinate EE certificates, but when the DNS name in question is longer than ~64 bytes, they have no choice but to omit the CN. Undoubtedly a search through the CT logs would find some examples. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users