Let’s Encrypt will soon make a change enabling the issuance of certificates in instances where all provided DNS Names (domain names) on one certificate are longer than 64 characters. This change will be made in Let’s Encrypt’s Staging Environment on 2023-11-08. The production change will follow on 2023-11-29.
Previously, requests where all DNS Names were longer than 64 characters resulted in a
urn:ietf:params:acme:error:rejectedIdentifier error with the message “NewOrder request did not include a SAN short enough to fit in CN”. With this change, such requests will be processed successfully, albeit now without a CN.
A certificate contains a single Subject, which in turn contains a single CN, which was historically used as the field where the certificate’s DNS Name was stored. Because it is common to want more than one DNS Name on a certificate, an extension called the Subject Alternative Name (SAN) allows for multiple DNS Names on a single certificate. The Baseline Requirements mandate the use of the SAN extension even for certificates with only a single DNS Name, and the SANs must include the CN, so the CN is redundant information.
Additionally, the CN is limited to at most 64 characters, while SANs can be significantly longer. This means that the CN is not only redundant, but actively restrictive: a certificate which has a Common Name cannot contain only very long domain names, because none of them would fit in the CN. For these reasons, the BRs state that for Domain Validated certificates, the Common Name field is "not recommended".
Existing certificates will not be affected, including when renewed, because any existing certificate must have a DNS Name Subject Alternative Name short enough to fit into a Common Name. Any request which has a DNS Name that fits into the Common Name will continue to have a Common Name. As a workaround for the CN length limitation, we have previously recommended including an additional shorter name in certificates, which will no longer be required.
We expect minimal compatibility issues arising from this change. While modern web browsers do not use the Common Name field, some certificate management tools, web servers, or older software may require Common Names on certificates. If you rely on a Common Name to be set in your certificate, ensure that at least one of the DNS Names is 64 characters or less.
If you have any concerns, questions, or other input, please post them in Questions re: Simplifying Issuance for Very Long Domain Names. If you require any assistance, please create a new thread in the Help category.