Skip to content

Subject alternative name extension must be marked critical if the "subject" field is empty #310

New issue
New issue
Closed
#311
Closed
Subject alternative name extension must be marked critical if the "subject" field is empty#310
#311
@howardjohn

Description

@howardjohn
howardjohn
opened on Jan 17, 2025

Per https://tools.ietf.org/html/rfc5280#section-4.1.2.6 :

If subject
naming information is present only in the subjectAltName extension
(e.g., a key bound only to an email address or URI), then the subject
name MUST be an empty sequence and the subjectAltName extension MUST
be critical.

However, currently rcgen hardcodes SANs as non-critical:

rcgen/rcgen/src/certificate.rs

Line 502 in cd88a39

write_x509_extension(writer, oid::SUBJECT_ALT_NAME, false, |writer| {

It would be nice to have this either automatically detect empty subject and mark it as critical, or have a way to indicate the extension as critical.

If I understand right, the only way to do this currently would be with a custom extension which seems like a lot of work.

I am willing to work on a fix for this

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions