Re: client certs with no subjectName only SAN

Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> · Thu, 15 Aug 2019 16:27:22 -0400

On 8/15/19 4:13 PM, Salz, Rich wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark subjectAltName as non-critical"

Fine with me.

I can believe that OpenSSL doesn't support empty subjectName's.  An empty one, with no relative disintuished name components, is not the same as not present.

It does seem empty with that -subj / command line option.

I am not seeing subjectName in this dump of the cert:

$    openssl asn1parse -i -in $dir/certs/device1.cert.pem
    0:d=0  hl=4 l= 439 cons: SEQUENCE
    4:d=1  hl=4 l= 361 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   9 prim:   INTEGER           :C98FB27BE19574CF
   24:d=2  hl=2 l=   5 cons:   SEQUENCE
   26:d=3  hl=2 l=   3 prim:    OBJECT            :ED25519
   31:d=2  hl=2 l=  29 cons:   SEQUENCE
   33:d=3  hl=2 l=  27 cons:    SET
   35:d=4  hl=2 l=  25 cons:     SEQUENCE
   37:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   42:d=5  hl=2 l=  18 prim:      UTF8STRING :2001:24:28:14::/64
   62:d=2  hl=2 l=  30 cons:   SEQUENCE
   64:d=3  hl=2 l=  13 prim:    UTCTIME           :190815195117Z
   79:d=3  hl=2 l=  13 prim:    UTCTIME           :200824195117Z
   94:d=2  hl=2 l=   0 cons:   SEQUENCE
   96:d=2  hl=2 l=  42 cons:   SEQUENCE
   98:d=3  hl=2 l=   5 cons:    SEQUENCE
  100:d=4  hl=2 l=   3 prim:     OBJECT            :ED25519
  105:d=3  hl=2 l=  33 prim:    BIT STRING
  140:d=2  hl=3 l= 226 cons:   cont [ 3 ]
  143:d=3  hl=3 l= 223 cons:    SEQUENCE
  146:d=4  hl=2 l=   9 cons:     SEQUENCE
  148:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Basic 
Constraints
  153:d=5  hl=2 l=   2 prim:      OCTET STRING      [HEX DUMP]:3000
  157:d=4  hl=2 l=  17 cons:     SEQUENCE
  159:d=5  hl=2 l=   9 prim:      OBJECT            :Netscape Cert Type
  170:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:030205A0
  176:d=4  hl=2 l=  51 cons:     SEQUENCE
  178:d=5  hl=2 l=   9 prim:      OBJECT            :Netscape Comment
  189:d=5  hl=2 l=  38 prim:      OCTET STRING      [HEX 
DUMP]:16244F70656E53534C2047656E65726174656420436C69656E74204365727469666963617465
  229:d=4  hl=2 l=  29 cons:     SEQUENCE
  231:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Subject Key 
Identifier
  236:d=5  hl=2 l=  22 prim:      OCTET STRING      [HEX 
DUMP]:041497B0DCA27493CF765E826C089C467383D3868E9A
  260:d=4  hl=2 l=  31 cons:     SEQUENCE
  262:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Authority 
Key Identifier
  267:d=5  hl=2 l=  24 prim:      OCTET STRING      [HEX 
DUMP]:30168014B145189B33826C7429692A15933B1C31D237D6CA
  293:d=4  hl=2 l=  14 cons:     SEQUENCE
  295:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Key Usage
  300:d=5  hl=2 l=   1 prim:      BOOLEAN           :255
  303:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:030205E0
  309:d=4  hl=2 l=  29 cons:     SEQUENCE
  311:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Extended 
Key Usage
  316:d=5  hl=2 l=  22 prim:      OCTET STRING      [HEX 
DUMP]:301406082B0601050507030206082B06010505070304
  340:d=4  hl=2 l=  27 cons:     SEQUENCE
  342:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Subject 
Alternative Name
  347:d=5  hl=2 l=  20 prim:      OCTET STRING      [HEX 
DUMP]:301287102001002400280014B8AF2789CBB9F7AC
  369:d=1  hl=2 l=   5 cons:  SEQUENCE
  371:d=2  hl=2 l=   3 prim:   OBJECT            :ED25519
  376:d=1  hl=2 l=  65 prim:  BIT STRING