We submitted a CSR without a Common Name. The certificate issued, and when we inspected it, it had a Common Name (CN) set to the host cryptopp.com. The CSR had two Subject Alt Names (SAN) - cryptopp.com and www.cryptopp.com.
We want to use a CN=“Crypto++ Project”. Common names are displayed to the user and should be friendly names. The IETF is fine with a friendly name, but the CA/Browser Baseline Requirements does not allow it. However, both the BR and IETF make the CN optional so we omit it.
As an aside, the CA/Browser Baseline Requirements and the IETF intersect at CN=hostname is deprecated and discouraged (but not forbidden yet). There’s no need to place a hostname in the CN, especially since (1) the hostnames are in the SAN; and (2) both standards say not to do CN=hostname.
I visited the Certification Practice Statement (CPS) but did not see a treatment. I found something relevant in LE-SA-v1.2-November-15-2017.pdf, section 3.3, that says “The contents of Your Certificates will be based on the information You or Your ACME Client Software sends to ISRG”.
The web server operated for years with a certificate that omits the CN. There have never been any user complaints or operational problems. So we know it is fine in practice.
We would really like to use a certificate with either CN=“Crypto++ Project” or CN omitted.
How do request a certificate without a Common Name? Is it possible to do?