On Sat, 20 Jun 2020 at 10:21, Michael Ströder <michael@xxxxxxxxxxxx> wrote: > > On 6/18/20 9:12 AM, Williams, Gareth wrote: > > I can successfully add a multi-value RDN to the Subject of a > > certificate request using the + format in the config file: > > [..] > > However, if I add a SAN to the request: > > [..] > > the resulting request has them as separate RDNs (as if the + is not > > noticed). > Probably not the answer you were expecting: > > In general multi-valued RDNs are a can of worms. Even if you solve this > particular step within OpenSSL you might run into many more issues with > other components using the certs. > > => I'd strongly recommend to avoid multi-valued RDNs. > > Sometimes people want to make the subject DN unique by adding attributes > to the RDN. But those attribute values would have to be unique in a > certain scope anyway to achieve that. C (country ISO code) does not look > like a good candiate for that. Or did you just use that as demo example? > Thanks for the response. I chose the country attribute simply as an example. I stumbled upon this while testing something else, so thought I’d ask the question. Your pragmatic answer is fine by me as I had no real use case – just a matter of curiosity. Thanks again, Gareth
