Actually, per the latest CA/Browser forum guidelines, subject.CN is not only optional but “discouraged”.
-FG > On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <[email protected]> wrote: > > SubjectCN is an operational requirement of X.509, I believe. It's not > optional in the data structure, at any rate. > > -Kyle H > >> On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson <[email protected]> wrote: >> >> >> Salz, Rich via openssl-users <[email protected]> wrote: >>> Putting the DNS name in the CN part of the subjectDN has been >>> deprecated for a very long time (more than 10 years), although it >>> is still supported by many existing browsers. New certificates >>> should only use the subjectAltName extension. >> >> Fair enough. >> >> It seems that the "openssl ca" mechanism still seem to want a subjectDN >> defined. Am I missing some mechanism that would let me omit all of that? Or >> is a patch needed to kill what seems like a current operational requirement? >> >> -- >> ] Never tell me the odds! | ipv6 mesh networks >> [ >> ] Michael Richardson, Sandelman Software Works | IoT architect >> [ >> ] [email protected] http://www.sandelman.ca/ | ruby on rails >> [ >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
