Use SAN attribute for cert name if CN is not available

Question

Use SAN attribute for cert name if CN is not available

manfredw opened this issue a year ago · 3 comments

Certificates that use only Subject Alternative Names (SAN) attribute without CN attribute (which is not mandatory when SAN is used) leads to a Icingaweb2 X509 certificate list with an empty certificate name.

If there is no CN present in the certificate, the x509-module should use i.e. the first DNS or IP Address entry from SAN attribute.

There seems to be no alternative, because due to different CA policies and automated cert generation I'm not able to enforce the issuer to use the CN attribute.

Answer 1 · 2023-07-07T12:30:21.000Z

Sounds good.

Answer 2 · 2023-07-17T07:31:23.000Z

I would try to parse the extension fields in the following order and use the first set field:

dNSName
rfc822Name
URI
iPAddress
First value

@manfredw Does that make sense?

Answer 3 · 2023-07-20T19:53:03.000Z

I would try to parse the extension fields in the following order and use the first set field:
* dNSName

* rfc822Name

* URI

* iPAddress

* First value
@manfredw Does that make sense?

Yes, this makes sense - please implement it that way :-)