RFC 9525 changes the way TLS certification is done: * The server identity can only be expressed in the subjectAltNames extension; it is no longer valid to use the commonName RDN, known as CN-ID in [VERIFY]. Not such a big surprise as already the book "Network Security with OpenSSL" (O'Reilly, ISBN 0-596-00270-X, June 2002; Thank you!) states: The common practice with X.509v1 certificates was to put the FQDN in the certificate's commonName field of the subjectName field. This practice is no longer recommended for new applications since X.509v3 allows certificate extensions to hold the FQDN as well as other identifying information, such as IP address. The proper place for the FQDN is in the dNSName field of the subjectAltName extension. Nonetheless commonName is tested (and sometimes even falsely in addition to subjectAltName, as just recently fixed for the MUA i maintain (then removed entirely as a fixup)). (Slightly adjusted version of an email i sent to another list some days ago.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)