What strings are allowed in the “common name” attribute in an X.509 certificate?

Question

In the common name field of the DN of a X509 certificate, as defined in ASN.1 notation for OID \"2.5.4.3\", what are the allowed values?

I know that the limit i

Answer 1

What strings are allowed in the “common name” attribute in an X.509 certificate?

I can't really answer what goes in there, but I can tell you what does not go in there: server names, like hostnames (www.example.com), Internal Names (like www) and IP Addresses (like 127.0.0.1 or 100.100.100.100).

Placing a DNS name or server name in the Common Name (CN) is deprecated by both the IETF and CA/Browser Forums. Though deprecated, it's currently not prohibited. The CA/B is important because that's what browsers follow - browsers do not follow the IETF.

The IETF deprecated the practice in RFC 6125, section 2.3, while the CA/B deprecated the practice in the Baseline Requirements, section 9.1.1.

All server names go in the Subject Alternative Name (SAN). Placing server names in the SAN is required by CA/B Baseline Requirements, section 9.2.1. The IETF is more forgiving during issuance with RFC 5280, but requires it during validation under section 6.4.4 of RFC 6125.