I’ve just generated a few certificates, and NONE of them assigned the first -d name as the Subject Name. A seemingly random name was selected as primary each time. I’d like to assert that this behavior is generally undesirable.
It might be true in many cases that the primary subject name is functionally irrelevant, and it might well be true that the field will go away in the future. However, it’s certainly very relevant today, and it will remain so for at least some amount of time. It matters to both systems and humans, and begs for the ability of specificity.
In some systems, that field is used for automation. For example, I know of at least one OpenVPN service whose connection scripts use the Subject Name field to determine the proper network settings to push. The inability to specify the Subject Name breaks these scripts needlessly.
More generally, though, and certainly more visibly, humans use that field. Humans click on the browser’s “lock” icon to provide a sense of confidence. When they find an unexpected name there, it can be confusing at best, and concerning at worst. Complicating matters even further, some browsers don’t even display the Subject Alternate Names when viewing the certificate that way, only the main Subject Name. I’ve already received calls from users who are conerned by this. My explanations help, but their confidence remains reduced.
Please, I implore you, provide some way to control which name will be used as the certificate’s main Subject Name. Even if it’s with a separate option, please do provide some deterministic mechanism to control the behavior. Thanks.