What strings are allowed in the “common name” attribute in an X.509 certificate?

Question

In the common name field of the DN of a X509 certificate, as defined in ASN.1 notation for OID \"2.5.4.3\", what are the allowed values?

I know that the limit i

Answer 1

If your main problem is to know whether or not you can (or should) put an IP address in the Subject DN's Common Name, the answer is no.

This isn't related to the X.509 format, but to the specifications that say how to interpret what they read.

When it comes to HTTPS, RFC 2818 says the following about IP addresses:

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

This means that the CN shouldn't be used at all for an IP address, and that the SAN entry type must by IP address, not DNS. (Some browsers, won't implement this fully, so they might be more tolerant. The Java default host name verifier will be strict.)

Best practices for certificate identity verification are also now defined in RFC 6125, but it considers IP addresses out of scope (it's worth reading this section for arguments against using IP addresses there). If you go through the excerpts of RFCs regarding other protocols, some have similar constraints regarding IP addresses (e.g. LDAP).