Can LetsEncrypt allow empty Subject now

Per the old thread: SSL for (a) 63 character (max. number of characters) - domain name(s), looks like LetsEncrypt does not allow empty Subject. Is this still the case?

I am asking this as I would like to get a certificate with single host that could be longer than 63 char. If this is supported, then I think I don't need to configure CN, and just use SAN directly. Thanks!

1 Like

I don't think it will validate without a valid and authenticated subject name.
But you can easily test against the staging system which will produce a FAKE cert you can inspect to see if it is how you are expecting the REAL one to be.

1 Like

I think Let's Encrypt will still try to copy one of the SANs into the Subject CN, which will produce the following error:

 CSR doesn't contain a SAN short enough to fit in CN

but I saw recently that there is a renewed effort to allow a certificate with an empty Subject in the specific case where there is no suitably short SAN to copy: https://github.com/letsencrypt/boulder/issues/5112. So things might be changing "soon" (or not, I have no idea what the timeline on it is).

4 Likes

Yep, @_az's got it right! We still don't support empty Subject. But I would like to, exactly to support use cases like yours, @jmx. We don't have a specific timeline on it, but we were re-discussing it lately and I wanted to write down our current thinking. Being realistic about our time commitments, I wouldn't expect anything before January 2021.

2 Likes