Somewhat OT: Empty SubjectAltName on server certificate (EAP-PEAP)

John Dennis jdennis at
Mon Apr 12 17:42:35 CEST 2010

On 04/12/2010 10:54 AM, Sergio Belkin wrote:
> Hi,
> I have a certificate with xpextensions but its "SubjectAltName" is empty.
> Is Mandatory or only is wrong when its content doesn't match with FQDN?
> Thanks in advance!

I believe you mean to say you have a certificate with x509 certificate 
extensions. Do you mean there is a SubjectAltName extension present in 
the certificate but it's value is empty or do you mean there is no 
SubjectAltName in the certificate?

There are numerous x509 certificate extensions, SubjectAltName is just 
one of the possibilities, just because a cert has extensions does *not* 
mean it needs to have SubjectAltName.

SubjectAltName needs to be present when the CN component of the 
certificate subject does not match the FQDN of the server presenting the 
cert, otherwise it is not necessary. As an aside the SubjectAltName 
still needs to be validated by some means.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list