Domain ordering not respected, unexpected certificate subject

Update: We've decided to go back to the old behavior: issuance requests with no Subject CN in the CSR will have the first SAN copied into the Subject CN of the issued certificate. This requires a code change and a deploy cycle. We're planning to follow our usual deploy process for this, so assuming everything goes smoothly with next week's deploy, the old behavior should be live again by approximately next Thursday. If you have certificates expiring before then, please use the workaround discussed about (generating a custom CSR with the Subject CN you want to appear in the Subject CN of the issued certificate).

And in general, if you're reading the issue because you have a system that relies on a specific Subject CN in certificates, please post your use case so we can get an idea of what breakage to expect as we migrate to no-CN-in-Subject certificates.

I'm hesistant to commit to a specific timeline since we haven't decided on what exactly our timeline will be, but approximately months. And we're likely to have some way to request a fallback for a certain amount of time, TBD.

This is true, though in fairness it took a while for browsers to actually start enforcing that deprecation by ignoring the field. And lots of CAs (including us, so far!) always include CN. So it's no surprise that there are various systems that expect it to be present; hopefully we can find such systems and help get them fixed without too much overall pain.

6 Likes