Replies: 1 comment 1 reply
-
|
As this is easy to configure it is on the CA, not the CA software, to ensure that profiles adheres to the relevant (for that CA) standards. In general the CA software can not enforce RFC5280 strictly because lots of standards out there have details that are not RFC 5280 compliant. This includes global critical standards such as ICAO 9303, or CA/B Forum baseline requirements. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks, @primetomas , for the clarification, now I understand it better! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In the RFC 5280 section 4.2.1.6 Subject Alternative Name is written
EJBCA can be configured to issue certificate with empty subject field and no
subjectAltNameextension. At least in the version 8.3.1 we were using to test this behaviour.If I am interpreting the RFC correctly, the CA should not issue certificate with empty subject field, when there is no
subjectAltName, and from that perspective, it can be considered as a bug.When you try to use such certificate in Java for example, you will get an exception:
You can set the end entity profile to include the
subjectAltNamewith empty subject field, however, thesubjectAltNameextension will not be marked as critical.What do you think, is my interpretation correct and the check for that should be implemented in EJBCA? Or it is on purpose and I missed something?
Beta Was this translation helpful? Give feedback.
All reactions