> On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark subjectAltName as non-critical" This is wrong. When the subject DN is empty, the subjectAltName should be marked as critical. IIRC some Java implementations reject the certificate otherwise. > I can believe that OpenSSL doesn't support empty subjectName's. An empty one, with no relative disintuished name components, is not the same as not present. OpenSSL supports empty (empty RDN sequence) subject DNs. The "-subj /" option is one way to make that happen. Empty is of course different from "absent", which is not possible, since the subject DN is a required component of an X.509 certificate. -- Viktor.
