only old-style (CN) certificates are generated
Brought to you by:
davefx
The only certificates that can be generated are the ones where the subject is identified at the CN field of the certificate. In new certificates you can set those values in the subject alternative name of the certificate, where e-mail addresses, IP addresses and HTTP addresses are allowed.
Logged In: YES
user_id=37431
Originator: NO
Please. Could you tell any RFC or "official" documentation in which it's said what you say?
Thanks.
Must check if CSR's are able to include an Alternative Name extension.
If not, we should change a bit the certificate generation process, allowing the CA to include extensions and other things.
This will be a post-1.0 feature.
GnuTLS already support this in versions greater than 2.7.0, currently only in experimental.
Hi Dave,
Afaik subjectAltName is commonly used in X.509 PKI these days. Here are some RFCs describing subjectAltName:
RFC 2459 – Section 4.2.1.7 Subject Alternative Name
RFC 3280 - Section 4.2.1.7 Subject Alternative Name
Probably makes sense to make "2895280 Feature: add subjectAltName & emailAddress" a duplicate of this one as it seems to ask for the same functionality.
Hopefully you decide to add this. I'll be looking forward to it :-)
Cheers, Peter
Just want to point out that the support of Subject Alternative Name becomes very important.
Google Chrome now blocks and mark all certificates as untrusted, if the FQDN of the host do not match the SubjectAlternatveName (or if it is unset). See https://support.google.com/chrome/a/answer/7391219
Firefox seems to be still satisfied with only CN, but probably they will follow soon.
Sadly, that currently limits gnoMint generated certificates.