All distinguished name fields now showing in issued certificates?


#1

I’ve noticed that when I get a certificate issue it does not contain all of the typical distinguished name fields that you see in most certs. For example, I create a CSR with country, organization, etc but they don’t show up in the cert. Am I doing something wrong or is this how the certs are issued? The missing fields are causing issues when trying to install a cert with the cPanel API.

Thanks.


#2

Hi @oborseth, this is intentional because the Let’s Encrypt CA has no way of verifying the correctness of that information. In principle, CAs should only include information in a certificate that the CAs were able to verify and regard as correct. Since I could make a CSR with, say, O = Google Inc, L = Mountain View, ST = California, C = US, although I don’t work for Google and never have, it would not be ideal for Let’s Encrypt to then issue a cert with those fields in the X.509 data – they would be fraudulent and users could be confused if they thought that they were somehow accurate and verified.

Therefore, Let’s Encrypt uses the CSR only for the subject public key and for the list of subject names. (There are or will be minor exceptions in the future related to policy fields in the certificate that can be set at the option of the subscriber, but nothing related to the subscriber’s identity, since Let’s Encrypt simply can’t verify any of these things other than domain control.)


#3

Makes perfect sense, thanks. I’m going to have to try and get cPanel to fix their API.