Why does LE drop the subject?

(Maybe this is not a client issue - I don’t know)

When I use a csr to create a certificate, Let’s Encrypt drop the subjects I create. For example:

Subject: C=ZA, ST=Western Cape, L=Stellenbosch, O=GTS, CN=gtst.xyz

The generated cert doesn’t have this in.

Is this by design and can I override this behaviour?

Yes, it’s by design. Let’s Encrypt operates as a public CA and so it is obliged to obey the Baseline Requirements of the CA/B forum. The BRs say that most of the values you listed must only be included in a certificate if the CA has validated them by an approved means. Let’s Encrypt doesn’t perform validation for anything except the domain name, which is listed as the CN (for backwards compatibility with very old software) and in SAN DNS names so that a browser can check this is really gtst.xyz they’ve connected to.

To get a certificate with extra subject DN values from a public CA you will (should) need to also prove to them that you’re entitled to the organisational name “GTS” either in South Africa (code ZA) as a whole, or in the administrative sub-division of Western Cape. This will usually involve considerable paperwork and thus a higher cost for the certificate. These are called OV (Organisation Validation) or EV (Extended Validation) certificates and are not offered, nor planned to be offered by Let’s Encrypt.

Unlike a hand-rolled CA built out of openssl and shell scripts, real public CAs don’t actually use your CSR to generate the certificate, instead they just read the contents, and create a certificate completely from scratch containing only those elements they’re happy to actually certify.

Hope that all helps

8 Likes

Great answer! @lifeboy, what @tialaramex says is correct.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.