Regarding this announcement: as stated, the Classic profile will no longer include the client EKU starting February 26. It’s also mentioned that the Common Name field is deprecated, and that other TLS profiles no longer populate it in issued certificates.
At my workplace, we currently issue certificates using the Classic profile and are already in the process of migrating away from the client EKU. However, we still rely heavily on the Common Name field.
My question is: do you have any plans to remove the Common Name field from the Classic profile in the future?
We have no immediate plans, but all newer profiles and certificate types (like post-quantum, etc) will exclude it. I imagine it may go away some day, but that’s not going to be soon.
It might be helpful for the community if you could explain in more detail how your systems rely on the CN field. It's the kind of thing where we hear a lot that there are these obscure systems that need it to be there, but we don't have a handle on exactly what is used or how many users it impacts.
Can you check the SAN instead of the Common Name field? As you are filtering to tenant by common name that suggest your certs only contain one domain (or domain + www.domain).