You're right, I typoed. SubjectDN is non-optional. But it can, as you mentioned, be an empty sequence.
But for PKIX purposes, it can't be empty if it's an Issuer (because IssuerDN can't be empty in the certificates that it issues). -Kyle H On Sun, Dec 23, 2018 at 3:35 PM Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > > > > > On Dec 23, 2018, at 4:29 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > > > > SubjectCN is an operational requirement of X.509, I believe. > > You're confusing the DN and the CN. > > > It's not optional in the data structure, at any rate. > > The subjectDN is not optional, but it can be empty sequence, and > is empty for domains whose name exceeds the CN length limit of either > 63 or 64 characters (can't recall which of the two just now, but that > is not important). > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
