I just read that Chrome and other browsers check only the SAN Entries while validating a certificate, and not common name. My doubt is if Lets Encrypt Staging and production servers automatically include my common name in the SAN values? If not, then where do I need to include it? Like, include my common name in the SAN entries while generating the CSR, or while sending a certificate issuance request to the server, or both?
1 Like
Officially, the common name is deprecated and no longer recommend for use by the Baseline Requirements.
Currently, Let's Encrypt still includes Common Names where possible. This is done for improved compatibility with old software. It automatically promotes one of your SANs as CN where applicable.
Unlike SANs, CNs are limited to 64 characters. If all of your SANs are longer than 64 characters, it is possible to receive a certificate without a Common Name: Simplifying Issuance for Very Long Domain Names
For client authors, the current recommendation is to not include a CN in the CSR. This lets the CA auto decide the best course of action.
6 Likes
I am asking if I enter a common name, then similar to what GlobalSign does, will LetsEncrypt include that common name also in the SAN entries of the certificate or should I enter it again manually in the SAN Entries?
Yes, Let's Encrypt will include the CN (from the CSR) in the SAN list. The recommendation however is to not use the CN at all (if possible) and only use SAN fields. This allows the issuance of certificates with long names.
7 Likes
For the best compliance across different ACME servers, if you include a CN it should appear again as a SAN entry.
Some servers do not require this, and will copy the deprecated CN into the new SAN. Other servers will reject a request where the CN does not appear in the SAN. IIRC, LetsEncrypt is a bit lax on this, but the sibling test server - Pebble - is not. I believe that is a conscious decision by the project maintainers to promote the desired behavior.
Background reading:
- Certificate request subject commonName domain is not taken into account · Issue #304 · letsencrypt/pebble · GitHub
- Order includes different number of names than CSR specifies (for CSR without subjectAltName) · Issue #233 · letsencrypt/pebble · GitHub
Summary:
- Recommended practice is to not use a CN, and everything in the SAN as @Nummer378 stated.
- The best practice when using a CN is to duplicate the name into the SAN for compliance with the widest number of ACME servers
8 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.