View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000672||Main CAcert Website||certificate issuing||public||2009-01-29 21:54||2012-03-22 11:13|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Summary||0000672: RFC5280 deprecates EmailAddress= in certificates, wants subjectAltName= instead|
|Description||EmailAddress is deprecated under RFC5280 http://tools.ietf.org/html/rfc5280#section-18.104.22.168 and its predecessors.|
subjectAltName is supposed to be used instead.
|Additional Information||CPS3.1.1 is currently being reviewed for DRAFT and wants to get rid of old stuff.|
|Tags||No tags attached.|
||this also means SSO needs to be dropped or replaced with some RFC compliant mechanism. Currently it sets a email address to a sha1 of a random number.|
report by mk 2012-01-06
I've renewed cert s/n 0xa6422 to s/n 0xb2170 and my SAN changed.
Previously it supported DNS:www.mydomain.tld, mydomain.tld now it has
I found this thread in the archives:
and it looks like the issue happen in the past and should be fixed,
however I've renewed my certificate last month and today I've noticed
the problem on my server.
Did the bug came back again or is this behaviour intentional? Please
0000672:0002765 Looks like the first SAN gets dropped on renewal. Can you please test whether this intuition is true (e.g. generate server certs with foo.mydomain.tld, bar.mydomain.tld in SAN and then renew it)? However this seems unrelated to the original bug topic.
The original topic should be solved by now (for client certs, SSO not yet resolved). The EmailAddress is still included for backward compatibility but SAN is also set.