Stuart Henderson wrote: > On 2017/06/27 18:11, Ted Unangst wrote: > > so chrome at least has gotten pretty uppity about certs that lack subject > > altnames. > > Oh that's going to be hilarious. There are at least valid reasons for > doing this (e.g. nameConstraints don't work with CN).
I have elected to remain partially in the dark, but the official normal way of doing X509 and the browser CAB forum way doing things are diverging. great thing about standards... > certifate -> certificate, and it's not really "deprecated" if they > disabled support. > > But I think it should be reworked a bit more - show SAN as a required > step rather than a "maybe you need to do this".. yeah, i wasn't sure how specific it needed to be, but this section does say "for web servers". i was hoping to limp along until somebody writes a more useful tool for cert management. :) the wrinkle is this new fun stuff has to be added to a file, you can't put it on the command line, so the one liner examples will be less pretty.
