That was my point about LE not really caring about the CN. If the CN were actually required in the CSR, hoisting a name (the first SAN, I suspect) wouldn't be necessary. Given the duplication with the CN always being a SAN, I only wish the SANs were coded into the CSR (and the certificate) in a position more fitting of their importance rather than within an "extension". When I wrote my DER decoder, I remember the "fun" of digging out the SANs from the depths of the CSR.
3 Likes