Menu
Are all the parts of the DN in a X.509 optional?
From RFC3280:
Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer and subject (section 4.1.2.6) names:
* country, * organization, * organizational-unit, * distinguished name qualifier, * state or province name, * common name (e.g., "Susan Housley"), and * serial number.
I could not find if any of these is mandatory.
I am asking because I am seeing a certificate that is signed by a trusted CA but in the issuer's field the CN is missing (and the C but I don't think that's important).
I was expecting that CN is mandatory. Is it?
Is there any security implications of the omission of theCN from the issuer's field?
493
DNQ. Distinguished name qualifier. The X. 509 standard defines other attributes that do not typically form part of the DN but can provide optional extensions to the digital certificate. The X.509 standard provides for a DN to be specified in a string format.
The X. 509 digital certificate is a data structure that contains, at minimum, the following fields: The distinguished name of the owner of the public key, also called the subject's name. The distinguished name of the issuer of the certificate, also called the issuer's name.
An X. 509 certificate contains an identity and a public key. It binds an identity -- such as an individual or hostname -- to a public key with a digital signature. The signature is either made by a trusted certificate authority (CA) or is self-signed.
509 is a standard defining the format of public-key certificates. X. 509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.
As @Bruno says, there is no requirement in RFC3280 for an Issuer DN to have a CN. RFC3280 states:
The issuer field MUST contain a non-empty distinguished name (DN).
However, RFC3280 does not make any requirement on which RDN(s) should be present. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.
OU = Equifax Secure Certificate Authority,O = Equifax,C = US
Or this Verisign CA.
OU = VeriSign Trust Network,OU = "(c) 1998 VeriSign, Inc. - For authorized use only",OU = Class 3 Public Primary Certification Authority - G2,O = "VeriSign, Inc.",C = US
Path building and validation using RFC3280 does not require a CN in the Issuer DN.
117
The RFC says that the name of the subject may be present in Subject Alternative Name extension. Section 4.2.1.7 says the following (which must be your case):
Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present. If the subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
