3

According to https://stackoverflow.com/a/26195101/569976#comment41093099_26195101 "[Using the DNS name as the common name is] deprecated by both the IETF and CA/B Forums, and it should not be done. Instead, the DNS names should be placed in the Subject Alternate Names (SANs)"

My question is... where is it deprecated? Can I get a link to the RFC where that behaviour is deprecated and the line that deprecates that behaviour?

From what I've seen what's most common is... if you're doing one domain that domain is set to the commonName and no subjAltNames is present. When multiple domains are done, however, subjAltName is used.

Community
  • 1
neubert
  • 1,748
  • 4
  • 20
  • 41

1 Answers1

5

RFC6125, 6.4.4 (from 2011):

.... the client MAY as a last resort check
for a string whose form matches that of a fully qualified DNS domain
name in a Common Name field of the subject field (i.e., a CN-ID)

RC2818, 3.1 (from 2000):

...Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

Apart from that, not everything is regulated through RFCs. If CAs and browsers agree to a behavior they don't need to write an RFC an each case.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • 1
    "If CAs and browsers agree to a behavior they don't need to write an RFC an each case." Confused a little. Shouldn't this say "If CAs and browsers agree to a behavior they don't need to observe an RFC." in context of the post. Not saying what you said is wrong. Just it's confusing in this context. Well I guess the 2011 one undeprecates it? – Northstrider Nov 18 '16 at 23:04
  • @meffect: when the RFC says that someone MAY do something, it means it's not required and that even if you don't do it you still observe the RFC. CA and browsers can't choose to NOT observe an RFC, but they can be stricter than the RFC and say that they don't support some optional behavior from RFC or that they require some behavior which is optional in RFC. – Honza Sep 14 '20 at 12:32