Maintain Subject Records (Country, etc) in Certificate from CSR


I can understand not allowing O, L and ST etc.
But surely Country could be allowed?
LetsEncrypt could automatically check Country is correct from IP address. StartCom do it.



Just for my information, what would be the added value of adding a country record?



If you use openssl to create your own CSR you can specify the country of origin and this will get put in to the certificate (80% sure)

IP to country validation is not relevant with the modern web. Most people use cloud services based in countires which are not their own so IP based validation is rendered usless.

VPN tunnels and proxies also negate and IP to country matching



Are you referring to self-signed certificates, or a Let’s Encrypt-issued one? The latter would not include the country from the CSR.

Interestingly, the Baseline Requirements specify the validation procedure for the country field in a way that could be automated. That said, I don’t see the usefulness for domain-validated certificates, and browsers don’t use the field for anything either in this context.



My apologies you are right these are removed from the final cetificate



@pfg - what is the rationale behind removing these from the final certificate?

Baseline Requirements - are these ACME requirements?



There would have to be some validation for the value of the country field. From the Baseline Requirements (a set of minimum requirements for publicly-trusted TLS certificates written by the CA/B Forum and part of various root programs):

[…] the CA SHALL verify the country associated with the Subject using one of the following: (a) the IP Address range assignment by country for either (i) the web site’s IP address, as indicated by the DNS record for the web site or (ii) the Applicant’s IP address; (b) the ccTLD of the requested Domain Name; © information provided by the Domain Name Registrar; or (d) a method identified in Section

The CA software does not remove fields from the CSR as such, but rather takes a small number of fields (like the domains and the public key) and puts it in the final certificate. More like a whitelist rather than a blacklist. Fewer things that can go wrong that way.


essentially you are putting in only the information that you have validated into the final certificate

makes sense - thanks for taking the time to explain



The “country” of a website may be important in the sense that it show under which law that service may operate.

Subject Names in CSR Not Present in Let's Encrypt Issued Certificate

Has that even been used in a legal process once?

I’m sure the legal system will look at the exact location of the servers, not a field in a certificate, for which multiple ways of validating can be used as @pfg has pointed out.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.