> On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users
> <openssl-users@openssl.org> wrote:
>
> subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD
> mark subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the subjectAltName should be
marked as critical. IIRC some Java implementations reject the certificate
otherwise.
> I can believe that OpenSSL doesn't support empty subjectName's. An empty
> one, with no relative disintuished name components, is not the same as not
> present.
OpenSSL supports empty (empty RDN sequence) subject DNs.
The "-subj /" option is one way to make that happen.
Empty is of course different from "absent", which is not
possible, since the subject DN is a required component of
an X.509 certificate.
--
Viktor.
