TLS: assigning certificates to username

Arran Cudbard-Bell a.cudbardb at
Thu May 5 17:06:41 CEST 2016

> On 5 May 2016, at 10:52, Alan DeKok <aland at> wrote:
> On May 5, 2016, at 10:22 AM, Arran Cudbard-Bell <a.cudbardb at> wrote:
>> It *may* contain a CN, and that *may* be an NAI.
>  Most importantly, it's under the control of the admin who's issuing the certs.
>  So... 99% of people use the NAI in the common name.

and i'm 100% sure you're completely wrong :)

>  Doing anything else is crazy.

That'd be why RFC 6818 gives an example of common name being the user's full name?

   Standard sets of attributes have been defined in the X.500 series of
   specifications [X.520].  Implementations of this specification MUST
   be prepared to receive the following standard attribute types in
   issuer and subject (Section names:

      * country,
      * organization,
      * organizational unit,
      * distinguished name qualifier,
      * state or province name,
      * common name (e.g., "Susan Housley"), and
      * serial number.

and RFC 5216 (EAP-TLS) states pretty plainly that:

 Where the peer identity represents a host, a subjectAltName of type
   dnsName SHOULD be present in the peer certificate.  Where the peer
   identity represents a user and not a resource, a subjectAltName of
   type rfc822Name SHOULD be used, conforming to the grammar for the
   Network Access Identifier (NAI) defined in Section 2.1 of [RFC4282].
   If a dnsName or rfc822Name are not available, other field types (for
   example, a subjectAltName of type ipAddress or
   uniformResourceIdentifier) MAY be used.

So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list