Problem with CSR for only one DNS name

For certificates in the Web PKI, every name must be listed as a SAN, and (optionally, for compatibility) at most one of these names can also appear as a CN. Because CN is free form text, having software try to figure out what it "means" is undesirable, so for past 16 years or so we've been trying to get rid of this use of X.509's Common Name.

Let's Encrypt will "fix" CSRs that don't ask for any SANs or ask for a CN that's different from the SANs, ensuring it always issues Baseline Requirements compliant certificates in which all DNS names are listed as SANs.

1 Like

Good to know - will start using SANs in CSRs :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.