Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What strings are allowed in the "common name" attribute in an X.509 certificate?

Tags:

security

asn.1

x509

In the common name field of the DN of a X509 certificate, as defined in ASN.1 notation for OID "2.5.4.3", what are the allowed values?

I know that the limit is up to 64 characters, but are all characters allowed? Digits?
E.g. are .s allowed? Is an IP address (x.x.x.x) a valid sequence per the ASN definition?
Is a domain name allowed?

like image 394
Cratylus Avatar asked Feb 27 '11 21:02

Cratylus

People also ask

What is common name in x509 certificate?

In the case of a single-name certificate, the common name consists of a single host name (e.g. example.com , www.example.com ), or a wildcard name in case of a wildcard certificate (e.g. *. example.com ). The common name is technically represented by the commonName field in the X. 509 certificate specification.

What attribute is included in a x 509 certificate?

No matter its intended application(s), each X. 509 certificate includes a public key, digital signature, and information about both the identity associated with the certificate and its issuing certificate authority (CA): The public key is part of a key pair that also includes a private key.

What is x509 subject name?

An X. 509 certificate consists of a number of fields. The Subject field is the one of most relevance to this tutorial. It gives the DName of the client to which the certificate belongs. A DName is a unique name given to an X.

3 Answers

The common name attribute in a Distinguished Name is encoded as:

X520CommonName ::= CHOICE {       teletexString     TeletexString   (SIZE (1..ub-common-name)),       printableString   PrintableString (SIZE (1..ub-common-name)),       universalString   UniversalString (SIZE (1..ub-common-name)),       utf8String        UTF8String      (SIZE (1..ub-common-name)),       bmpString         BMPString       (SIZE (1..ub-common-name)) }

where ub-common-name is 64. The last three encodings allow the use of all Unicode code points (using UTF-16 for code points beyond 0xFFFF with bmpString); UTF-8 is the preferred encoding (at least the standards say so).

As far as X.509 is concerned (see RFC 5280), the contents of DN elements are irrelevant beyond equality comparisons; which means that you can put whatever sequence of characters you wish, as long as you do so consistently. RFC 5280 mandates case-insensitive comparisons for UTF-8 encoded name elements, and this is not easy in the general context of Unicode: see section 7.1, which links to RFC 4518 and 3454. Also, the "common name" is frequently displayed to the user (at least on systems using X.509 certificates which have a display and a physical user), so you probably want to use a string which is meaningful or at least not too scary for a human, and you may try to avoid non-latin scripts.

Putting a DNS name in the "common name" attribute is common practice for HTTPS server certificates: see RFC 2818 (the server certificates contains the server name, which the client matches against the server name in the URL; normally, the Subject Alt Name extension is preferred for that, but the common name is somewhat more widely supported by clients).

like image 149
Thomas Pornin Avatar answered Sep 21 '22 22:09

Thomas Pornin

If your main problem is to know whether or not you can (or should) put an IP address in the Subject DN's Common Name, the answer is no.

This isn't related to the X.509 format, but to the specifications that say how to interpret what they read.

When it comes to HTTPS, RFC 2818 says the following about IP addresses:

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

This means that the CN shouldn't be used at all for an IP address, and that the SAN entry type must by IP address, not DNS. (Some browsers, won't implement this fully, so they might be more tolerant. The Java default host name verifier will be strict.)

Best practices for certificate identity verification are also now defined in RFC 6125, but it considers IP addresses out of scope (it's worth reading this section for arguments against using IP addresses there). If you go through the excerpts of RFCs regarding other protocols, some have similar constraints regarding IP addresses (e.g. LDAP).

like image 42
Bruno Avatar answered Sep 17 '22 22:09

Bruno

Whilst the above answers cover what you'll usually find in there, don't forget that because this is X.509 you can actually put pretty much anything in there. The certificate below for example uses 0.9.2342.19200300.100.1.5 which is 'favourite drink' (See http://www.alvestrand.no/objectid/0.9.2342.19200300.100.1.5.html). Openssl understand this, so the common name is displayed as CN=example.com/[email protected]/favouriteDrink=tequila. There are many other fields that can be put in the certificate common name.

You can use openssl x509 -text to verify that the certificate displays as I've described.

-----BEGIN CERTIFICATE-----
MIIDOzCCAiOgAwIBAgIBCzANBgkqhkiG9w0BAQUFADCBqzEmMCQGA1UEAxMdV2Vz
dHBvaW50IENlcnRpZmljYXRlIFRlc3QgQ0ExEzARBgNVBAgTCkxhbmNhc2hpcmUx
CzAJBgNVBAYTAlVLMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLmNvbTFAMD4G
A1UEChM3V2VzdHBvaW50IENlcnRpZmljYXRlIFRlc3QgUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0xMTA3MzEyMTAxMTdaFw0yMTA3MjgyMTAxMTdaMFAx
FDASBgNVBAMTC2V4YW1wbGUuY29tMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1w
bGUuY29tMRcwFQYKCZImiZPyLGQBBRMHdGVxdWlsYTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAuCqI3aNbSkRpA9VuGOmeVQ010Oaawsz4tcW2FQChJDOv6PuT
ucy5IijvaVewotDjnuVzPpBVW5EmC8Qapradomhb6FtFPyH/hGSnhLtht3Ln6stJ
ZkAjvr/wjWDy+3Gy/P5r5weUNWVm2AaQgk2xumx49EIXyzwOEHAhqTE7iEECAwEA
AaNIMEYwCQYDVR0TBAIwADA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0
dHA6Ly9vY3NwLmV4YW1wbGUuY29tOjg4ODgvMA0GCSqGSIb3DQEBBQUAA4IBAQBL
oz035PphO4yUx7FJVaZjxLgTM4wLrcn2ONGm015/ECO+1Uxj3hWb6/EIDDKV/4e8
x0HDF69zyawYLD1th5tBcZLkV/Dat/Tzkt3boLOCGo2I1P+yjqxlb7BZCk7PEs3+
zjWF2hMcXtAwOIrsRuvXp4eTGwigKLAt/H02US/fa2dXFbOnz91V7oH8ZvynIl/n
hpELPzVWX/pBnHEGA9Bi0jviCKuvQisfaJ8XCiA73qH6CkSoZ2fClnrs+pJNj8i6
vtcMx8htn7FsyB3puVww86JSQ+VDKlQkFbPVla/4Aavzwz8djjVYEWwSgm+tw3jB
zUP/k5Aln5cXNo50KOip
-----END CERTIFICATE-----
like image 20
Richard Moore Avatar answered Sep 18 '22 22:09

Richard Moore
Sign in to Comment

Related questions

Cannot create SSPI context
Good Secure Backups Developers at Home [closed]
Accessing data in internal production databases from a web server in DMZ
Is there a way to load a different cacerts than the one specified in the java_home/jre/lib/security folder?
Session timeouts in PHP: best practices
Escaping strings for use in XML
PHP Forgot Password Function
How does your company do "Enterprise" Password Management?
How is SecureString "encrypted" and still usable?
Possible to view PHP code of a website?
Java Best Practices to Prevent Cross Site Scripting [closed]
Simple example for why Same Origin Policy is needed
How to create a self signed certificate with the private key inside in a file in one simple step?
How can I check website security for free?
Application vulnerability due to Non Random Hash Functions
What's the purpose of each of the different UIDs a process can have?
How do I prevent DLL injection
How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
Include the "minus-sign" into this regular expression, how?
Understanding CSRF

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!