> On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users > <openssl-users@openssl.org> wrote: > > subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD > mark subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the subjectAltName should be marked as critical. IIRC some Java implementations reject the certificate otherwise. > I can believe that OpenSSL doesn't support empty subjectName's. An empty > one, with no relative disintuished name components, is not the same as not > present. OpenSSL supports empty (empty RDN sequence) subject DNs. The "-subj /" option is one way to make that happen. Empty is of course different from "absent", which is not possible, since the subject DN is a required component of an X.509 certificate. -- Viktor.