RFC5280 was not "written by the CAs themselves".
The deprecation of CNs in favor of elements found in the SAN extension is logical and comes from CAs as well as browser vendors; CN use has been abused to contain names (human readable), IP addresses, and host names (either simple or fully qualified). Testing for a match between a certificate and the entity that you want to contact is not eased. Browser vendors now push forward name constraints for subordinate CAs, and name constraints don't deal well at all with the idea of "lets put everything possible in the CN". SAN can contain clearly labelled dnsNames and ipAddresses, which makes checking much more easier and less error prone. That's better for everyone.
For your particular problem, CAs usually ignore extensions you set in your request. To populate the SAN extension, you generally have to provide your elements, aside the request. You still can set a CN in your request, its content will be copied into the SAN.
-- Erwann ABALEA Le 14/02/2013 07:18, Matthew Hall a écrit :
I am sure at least some would sign it because RFC 5280 PKIX standard was written by the CAs themselves and they are the ones deprecating CN in favor of SAN.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
