You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Suggested by @tarcieri. This would enable CommonName to be omitted from a certificate. However, before exposing this in x509::write::tbs_certificate (making either issuer or subject optional), we should ensure that we are still generating valid certificates. It appears that an empty Subject is valid under RFC 5280, but is not guaranteed to be compatible (and e.g. a non-empty CN is currently required under CA/B rules).
The text was updated successfully, but these errors were encountered:
I believe a certificate with an empty subject also needs a critical SAN to be valid.
The alternative to an empty subject which my understanding is more compatible is including something in the subject to make it non-empty. I believe dnQualifier has been (ab)used for this purpose (set to e.g. a random nonce).
So the remaining work is to either add SAN support (and then require either a subject or SAN), or translate an empty subject into a non-empty field.
str4d
changed the title
Pass CommonName to x509::write::name as Option<&str>
Add opinionated handling of certificates with empty SubjectName fields
Jan 10, 2021
Suggested by @tarcieri. This would enable CommonName to be omitted from a certificate. However, before exposing this in
x509::write::tbs_certificate
(making eitherissuer
orsubject
optional), we should ensure that we are still generating valid certificates. It appears that an empty Subject is valid under RFC 5280, but is not guaranteed to be compatible (and e.g. a non-empty CN is currently required under CA/B rules).The text was updated successfully, but these errors were encountered: