Common Name support has been added for acme.crypto_util.make_csr()

[ZenSecurity]

With help of this commit we can set "common_name" manually in make_csr(), or just use first domain from "subject_alt_names" list if "common_name" is empty.

[schoen]

Hi @ZenSecurity ,

Thanks!

Do you have a particular way that you'd like to see this functionality get used in Certbot, or another client where you would like to use it? I know users sometimes ask us about how to cause a particular name to be displayed in the CN X.509 field, so it looks like you're aiming at giving people more convenient control of that. But how do you envision that users would take advantage of this feature?

[ZenSecurity]

This feature will be useful for python developers, who use bare acme library without certbot client, like i do. It will help to integrate letsencrypt more easily into complicated infrastructure.

[ohemorange]

@schoen, looks like you're on top of reviewing this. Just wanted to point out that different clients sometimes have different behavior around when certs do an do not have a common name set and when SANs are or aren't set, so we might want to consider that when making the change to always set the common name.

[ZenSecurity]

Any updates ?

[schoen]

OK, that sounds fine! Would it be safer to also add a check asserting that common_name is an element of subject_alt_names?

[ZenSecurity]

What do you think about backward compatibility (https://www.digicert.com/subject-alternative-name-compatibility.htm), maybe we need more accurate checks, especially for wildcards ?