On Fri, Jun 18, 2021 at 05:37:33PM +0200, Jakob Bohm via openssl-users wrote:
> > Also, the correspondence between the peer identity as requested by
> > the client, and as represented by the entity certificate, should not
> > be done using the CN component of the Subject DN (as OP suggested),
> > but by comparing against the Subject Alternative Name extension
> > values. The subject CN should only be used as a last resort; some
> > applications may refuse to allow a CN match and insist on an X.509v3
> > certificate with a valid SAN.
> >
> > (Jakob knows all this.)
> Actually, I have heard of nothing at all proposing the use of
> SANs on CA certificates or their use in chain building.
The discussion of SANs was only about the EE cert name matching. Indeed
chain building only matches the issuer DN against the CA subject DN, and
if present authority key id against CA's subject key id (or general name
+ serial from AKID against CA issuer / serial).
--
Viktor.
