Todo #16657
open
Improve handling of certificates without subjects
100%
Description
Certificates may omit a subject so long as they have SAN entries, but the certificate manager currently prints "Unknown" in the Distinguished Name column for certificates with an empty subject.
Let's Encrypt is dropping the Common Name field from their certificates in the near future, and since that was the only subject component they included, the resulting certificates now lack a subject. As such, these types of certificates will be much more common soon. They can even be generated now by using ACME certificate profiles.
Rather than printing "Unknown" in these cases, the GUI could print "SAN Only" and/or print at least one entry from the SAN list. It could even give a count for the >1 case, such as "SAN Only (x entries)". For certificates with only one SAN entry, printing that seems ideal, but certificates with multiple SANs it becomes less clear which to print.
Updated by Jim Pingle 19 days ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 445abad5522d04cc1414d9a11409504042941eba.
Updated by Jim Pingle 19 days ago
For certificates with one SAN, it prints "SAN=<SAN spec>". For certificates with multiple it prints a count afterward, e.g. "SAN=DNS:san.example.com and 5 more SANs".
N.B.: This is only for the cosmetic display on the CA and Cert list pages and when editing a cert. There are some uses of subject where the values are compared where this doesn't quite make sense to use, but those are deeper issues in the Certificate Manager design and out of scope for this. I left enough flexibility in this function that it could help there in the future, perhaps.