Retain Order of Domains

[zenhack]

Issue by zx2c4
Tuesday Feb 09, 2016 at 13:42 GMT
Originally opened as kuba/simp_le#72

---

For certificates that authenticate multiple sites, I'd like to specify which domain goes in the CN field. This should probably be the first -d domain specified. But since simp_le uses a dictionary, the ordering provided by the user is lost.

Could you have the ordering of -d be preserved, or add another switch to specify explicitly which domain should be in the CN?

Thanks.

[zenhack]

Comment by trunneml
Sunday Feb 21, 2016 at 16:42 GMT

---

It should be enough to change the dict in https://github.com/kuba/simp_le/blob/master/simp_le.py#L1273 to an OrderedDict.

[zenhack]

Comment by wiml
Sunday Feb 21, 2016 at 23:03 GMT

---

FWIW, if there is a domain name SAN, then the contents of the CN are (should be) ignored: this is mentioned in RFC2818 (section 3.1), and also in RFC6125 (section 6.4.4).

Also, I think the ordering of the entries in the SAN list is fixed by the DER encoding rules for SETs.

I think that, between those two things, it would make more sense to simply have an option to specify the contents of the CN, or perhaps the entire subject distinguished name. If you have web clients from the 1990s that require a hostname there, you can specify the one you like.

[zenhack]

Comment by zx2c4
Sunday Feb 21, 2016 at 23:06 GMT

---

Either way works well for me. I think I like the idea of having an explicit option the best though.

[zenhack]

Comment by kuba
Sunday Apr 17, 2016 at 21:23 GMT

---

This will be WONTFIX obsolete as of #105.

[zenhack]

Closing; see discussion in #30