minimum viable CSR?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

minimum viable CSR?

Felipe Gasper-2
Hello,

        I have domains whose length exceeds the commonName maximum. To create a signing request for such a domain, then, I can’t put the domain in the CSR’s subject.

        Assuming that I’m interested in just a DV certificate--such that the CSR’s subject DN actually provides no useful information--what would the minimum-viable subject look like from the generation-via-OpenSSL side?

        Thank you!

cheers,
-Felipe Gasper
Reply | Threaded
Open this post in threaded view
|

Re: minimum viable CSR?

Hubert Kario
On Tuesday, 14 July 2020 21:18:53 CEST, Felipe Gasper wrote:

> Hello,
>
> I have domains whose length exceeds the commonName maximum. To
> create a signing request for such a domain, then, I can’t put
> the domain in the CSR’s subject.
>
> Assuming that I’m interested in just a DV certificate--such
> that the CSR’s subject DN actually provides no useful
> information--what would the minimum-viable subject look like
> from the generation-via-OpenSSL side?

1. Common Name is not used for host names for quite a few years now
2. most commercial CAs completely ignore any data in the CSR but the public
   key
3. Subject DN can be empty, if that will be accepted by CA is up to CAs
policy
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Reply | Threaded
Open this post in threaded view
|

Re: minimum viable CSR?

Felipe Gasper-2


> On Jul 15, 2020, at 7:16 AM, Hubert Kario <[hidden email]> wrote:
>
> On Tuesday, 14 July 2020 21:18:53 CEST, Felipe Gasper wrote:
>> Hello,
>>
>> I have domains whose length exceeds the commonName maximum. To create a signing request for such a domain, then, I can’t put the domain in the CSR’s subject.
>>
>> Assuming that I’m interested in just a DV certificate--such that the CSR’s subject DN actually provides no useful information--what would the minimum-viable subject look like from the generation-via-OpenSSL side?
>
> 1. Common Name is not used for host names for quite a few years now
> 2. most commercial CAs completely ignore any data in the CSR but the public
>  key
> 3. Subject DN can be empty, if that will be accepted by CA is up to CAs policy

Making subject DN empty is what I was struggling with but eventually found a syntax that works.

Thank you!

-F