Hi Erwann, On Thu, Feb 14, 2013 at 11:09:23AM +0100, Erwann Abalea wrote: > RFC5280 was not "written by the CAs themselves".
Some of them are listed in the authorship; they also reference 5280 and other PKI RFCs in their standards they created as part of the CAB Forum and the Webtrust auditing standards. They were the ones who led me to the RFC to begin with when I began working on this project. :) > The deprecation of CNs in favor of elements found in the SAN > extension is logical and comes from CAs as well as browser vendors; > CN use has been abused to contain names (human readable), IP > addresses, and host names (either simple or fully qualified). > Testing for a match between a certificate and the entity that you > want to contact is not eased. > Browser vendors now push forward name constraints for subordinate > CAs, and name constraints don't deal well at all with the idea of > "lets put everything possible in the CN". SAN can contain clearly > labelled dnsNames and ipAddresses, which makes checking much more > easier and less error prone. That's better for everyone. 100% agree... this is why I'm designing my project to do it the modern way using SAN only. But in order to be sure it works I needed to generate such a certification request with OpenSSL to be sure my code processes it right, whether it has CN, SAN, or both, present, all at once. > For your particular problem, CAs usually ignore extensions you set > in your request. To populate the SAN extension, you generally have > to provide your elements, aside the request. You still can set a CN > in your request, its content will be copied into the SAN. Less of a problem in my case, as I'm the guy implementing the CA. So this time it's me rejecting CN and requiring use of SAN for everything that wants to get my CA to issue them a certificate. > Erwann ABALEA Matthew. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
