On Wed, May 10, 2023 at 11:09:54PM -0400, Robert Moskowitz wrote:
> I would want the Issuer DN to be these values. What might be the
> preferred DN field for encoding this? CN? UNSTRUCTUREDADDRESS? (how is
> this abbreviated?) serialNumber (SN)? or something else?
Do you have to try to encode these as X.509 names, or specifically in
the issuer or subject DNs? If the specification does not require this,
I'd recommend not attempting to assign any meaning to X.509 names.
Just use an uninterpreted unique Common name for each issuing CA, and
empty subject names for all EE certificates.
Any names that have meanings would then be Subject Alternative Names
of the relevant certificates. If there's a reasonable use case, you
could also employ Issuer Alternative Names.
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.7
--
Viktor.
