Make CN field optional?

[ghen2]

Hi

According to this thread: https://community.letsencrypt.org/t/questions-re-simplifying-issuance-for-very-long-domain-names/207925 the x509 CN (Common Name) and the entire Subject field should be optional and even disappear entirely in the long run. (read the whole thread, it's not just about superlong SAN's, but about the usefulness of CN in general and the roadmap to remove it)

Should acme.sh consider to make the CN field optional when generating a CSR, and maybe even disable it by default?

[Neilpang]

I have read this thread, but I don't think we need to do it in a near future. we can keep an eye on this to see if there are many demands.

[andreasschulze]

well, I tried to test LE's "new feature", but acme.sh (Version 3.0.6) failed to create a CSR

...
_createcsr
Single domain='webserver-with-a-very-very-long-name.in-a-subdomain.of-a-subdomain.example.org'
40F7553FA87F0000:error:06800097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:106:maxsize=64
req: Error adding subject name attribute "/CN=webserver-with-a-very-very-long-name.in-a-subdomain.of-a-subdomain.example.org"
Create CSR error.
...

as this was for a pure testing purpose, it doesn't really hurt me

[chris6611]

I am having this issue with my long domain, is there any sort of fix?

[tengzl33t]

@Neilpang It would be very useful in case of long FQDNs to allow issuing single site certificate with adding additional one with shorter FQDN as CN.