Multi-valued RDN in Subject Alternative Name extension

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Multi-valued RDN in Subject Alternative Name extension

Gareth Williams
I can successfully add a multi-value RDN to the Subject of a
certificate request using the + format in the config file:

    distinguished_name = req_dn

    [ req_dn ]
    O=Acme
    CN=Bloggs
    +C=GB

However, if I add a SAN to the request:

    subjectAltName = @alt_names

    [ alt_names ]
    DNS = www.example.com
    dirName = req_dn

the resulting request has them as separate RDNs (as if the + is not noticed).

That is, the resulting subject field is: O = Acme, C = GB + CN = Test
While the resulting SAN extension is: DNS:www.example.com,
DirName:/O=Acme/C=GB/CN=Test

Should multi-value RDNs work in the SAN too?

Kind regards,

Gareth Williams
Reply | Threaded
Open this post in threaded view
|

Re: Multi-valued RDN in Subject Alternative Name extension

Michael Ströder
On 6/18/20 9:12 AM, Williams, Gareth wrote:
> I can successfully add a multi-value RDN to the Subject of a
> certificate request using the + format in the config file:
> [..]
> However, if I add a SAN to the request:
> [..]
> the resulting request has them as separate RDNs (as if the + is not
> noticed).
Probably not the answer you were expecting:

In general multi-valued RDNs are a can of worms. Even if you solve this
particular step within OpenSSL you might run into many more issues with
other components using the certs.

=> I'd strongly recommend to avoid multi-valued RDNs.

Sometimes people want to make the subject DN unique by adding attributes
to the RDN. But those attribute values would have to be unique in a
certain scope anyway to achieve that. C (country ISO code) does not look
like a good candiate for that. Or did you just use that as demo example?

Ciao, Michael.
Reply | Threaded
Open this post in threaded view
|

Re: Multi-valued RDN in Subject Alternative Name extension

Gareth Williams
On Sat, 20 Jun 2020 at 10:21, Michael Ströder <[hidden email]> wrote:

>
> On 6/18/20 9:12 AM, Williams, Gareth wrote:
> > I can successfully add a multi-value RDN to the Subject of a
> > certificate request using the + format in the config file:
> > [..]
> > However, if I add a SAN to the request:
> > [..]
> > the resulting request has them as separate RDNs (as if the + is not
> > noticed).
> Probably not the answer you were expecting:
>
> In general multi-valued RDNs are a can of worms. Even if you solve this
> particular step within OpenSSL you might run into many more issues with
> other components using the certs.
>
> => I'd strongly recommend to avoid multi-valued RDNs.
>
> Sometimes people want to make the subject DN unique by adding attributes
> to the RDN. But those attribute values would have to be unique in a
> certain scope anyway to achieve that. C (country ISO code) does not look
> like a good candiate for that. Or did you just use that as demo example?
>

Thanks for the response.

I chose the country attribute simply as an example.

I stumbled upon this while testing something else, so thought I’d ask
the question.  Your pragmatic answer is fine by me as I had no real
use case – just a matter of curiosity.

Thanks again,

Gareth