Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is there a limit on CN length?

8,121 views
Skip to first unread message

Alexander Fisher

unread,
Jul 16, 2010, 5:50:02 AM7/16/10
to
Hi

I've very recently decided to create my own Cert Authority in order to
produce certificates to replace all the built in self-signed ones on
devices such as routers,switches etc.

I'm having problems with the certificate signing requests generated by
Dell iDRAC6 management interfaces. The hostname is quite long and the
FQDN totals 57 characters. The last 7 or so characters are being
chopped off from the CSR.

Is this a Dell specific problem or are there some hard limits I should
know about?

Many thanks,
Alex
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Christian Hohnstaedt

unread,
Jul 16, 2010, 6:40:44 AM7/16/10
to
On Fri, Jul 16, 2010 at 10:50:02AM +0100, Alexander Fisher wrote:
> Hi
>
> I've very recently decided to create my own Cert Authority in order to
> produce certificates to replace all the built in self-signed ones on
> devices such as routers,switches etc.
>
> I'm having problems with the certificate signing requests generated by
> Dell iDRAC6 management interfaces. The hostname is quite long and the
> FQDN totals 57 characters. The last 7 or so characters are being
> chopped off from the CSR.

RFC3280 says the maximum length of the common name should be 64.
But not every implementation respects it. OpenSSL does.
And it throws an error if the limit is exceeded.

Cheers

Christian

Jakob Bohm

unread,
Jul 16, 2010, 8:27:07 AM7/16/10
to
On 16-07-2010 12:40, Christian Hohnstaedt wrote:
> On Fri, Jul 16, 2010 at 10:50:02AM +0100, Alexander Fisher wrote:
>> Hi
>>
>> I've very recently decided to create my own Cert Authority in order to
>> produce certificates to replace all the built in self-signed ones on
>> devices such as routers,switches etc.
>>
>> I'm having problems with the certificate signing requests generated by
>> Dell iDRAC6 management interfaces. The hostname is quite long and the
>> FQDN totals 57 characters. The last 7 or so characters are being
>> chopped off from the CSR.
>
> RFC3280 says the maximum length of the common name should be 64.
> But not every implementation respects it. OpenSSL does.
> And it throws an error if the limit is exceeded.
>

While RFC3280 may be repeating this limit (which appears to be a
historic X.400 directory holdover), this particular limit has always
been a bad idea to enforce or implement at all:

1. For the original/historic use of this element holding a natural
persons full name (as listed in a phone directory, hence the
CCITT/ITU-T standardization interest), the problem is that many
people around the world have full names exceeding this arbitrary
limit.

2. For the common SSL use of placing the fully qualified domain name of
a server in this element (rather than the official SubjectAltName
element), a 64 character limit conflicts rather harshly with the DNS
limit of 63 characters between each dot. Thus a perfectly valid DNS
name such as
www.llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.co.uk
could easily exceed this limit.

0 new messages