X.509 Are all parts of a DN optional?

Question

Are all the parts of the DN in a X.509 optional?
From RFC3280:

Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer and subject (section 4.1.2.6) names:

  * country,
  * organization,
  * organizational-unit,
  * distinguished name qualifier,
  * state or province name,
  * common name (e.g., "Susan Housley"), and
  * serial number.

I could not find if any of these is mandatory.
I am asking because I am seeing a certificate that is signed by a trusted CA but in the issuer's field the CN is missing (and the C but I don't think that's important).
I was expecting that CN is mandatory. Is it?
Is there any security implications of the omission of theCN from the issuer's field?

Answer 1

As @Bruno says, there is no requirement in RFC3280 for an Issuer DN to have a CN. RFC3280 states:

The issuer field MUST contain a non-empty distinguished name (DN).

However, RFC3280 does not make any requirement on which RDN(s) should be present. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.

OU = Equifax Secure Certificate Authority,O = Equifax,C = US

Or this Verisign CA.

OU = VeriSign Trust Network,OU = "(c) 1998 VeriSign, Inc. - For authorized use only",OU = Class 3 Public Primary Certification Authority - G2,O = "VeriSign, Inc.",C = US

Path building and validation using RFC3280 does not require a CN in the Issuer DN.

Answer 2

The RFC says that the name of the subject may be present in Subject Alternative Name extension. Section 4.2.1.7 says the following (which must be your case):

Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present. If the subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.