It’s assumed that there’s a FQDN in the subject CN but that’s not always the case.
I followed this tutorial to create a test certificate and the subject CN is “My firewall”.
When trying to delete this certificate I get
Validation errors: [fqdn: Must validate one and only one schema (oneOf) fqdn: Does not match format 'hostname']
and the certificate is not deleted.
See:
Specifically:
For these reasons, the BRs state that for Domain Validated certificates, the Common Name field is “not recommended”.
Edit: here’s an actual, live certificate (issued by Let’s Encrypt just a moment ago) with no CN field:
-----BEGIN CERTIFICATE-----
MIIDyjCCA1CgAwIBAgISBYUMUtp69hOkHH1dV8pZAwHOMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTAzMjEyMDQyMTZaFw0yNTA2MTkyMDQyMTVaMAAwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAARRxqXcivXfcyJlfvZBKraYEPqouUqj3tX4b5C2b5/3XCA6
4xQ5VsC9YwMHp8zoDKVIXjxgbgeQQfd8IsPjz+8Bo4ICdjCCAnIwDgYDVR0PAQH/
BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBQEBVYXOsiRJdwbOt4I0jLcYoXxczAfBgNVHSMEGDAWgBST
J0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGG
FWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U2Lmku
bGVuY3Iub3JnLzBQBgNVHREBAf8ERjBEgkJwaGFhNHBhZGVlbjNpaXNhaDllZXc5
c2h1eG9lc2hhZXphaDRzaGVleHVkb29oOWVpcGF0aGEzLmxhbi4ydjYuaW4wEwYD
VR0gBAwwCjAIBgZngQwBAgEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2U2LmMu
bGVuY3Iub3JnLzc5LmNybDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AMz7D2qF
cQll/pWbU87psnwi6YVcDZeNtql+VMD+TA2wAAABlbqmw+IAAAQDAEgwRgIhAI/N
vmPllocG5PcTneYp2enAoNVGPzyx6ABUplU7ug/4AiEAjwFFDFG4vibUe21h/Ql4
i3Z/7yJefxrhBxrOX3jLe+gAdQATSt8atZhCCXgMb+9MepGkFrcjSc5YV2rfrtqn
wqvgIgAAAZW6psSIAAAEAwBGMEQCIDq80PTZOiJ4Q/iHclbqb5lDT/dKcvu3wsy0
NtuHoEqiAiAy6mB+mJuUbgG8UT4bZBibl5Mh9DP2/UJN7I9BZCSbSTAKBggqhkjO
PQQDAwNoADBlAjBwcwKIZwwPSqTxEMgODBwMEeBCYD3eDqjLnr5KaitEy2vVuzgH
0/irFWper2qjglkCMQDbCcHgh1cZ+vQzTpGMHp5OOGXQK+n0u+VgZeGo20T4iKvq
CaCK/SAuPRV/bd7d190=
-----END CERTIFICATE-----
…and its contents:
root@certbot-temp:/etc/letsencrypt/live/phaa4padeen3iisah9eew9shuxoeshaezah4sheexudooh9eipatha3.lan.2v6.in# openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:85:0c:52:da:7a:f6:13:a4:1c:7d:5d:57:ca:59:03:01:ce
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E6
Validity
Not Before: Mar 21 20:42:16 2025 GMT
Not After : Jun 19 20:42:15 2025 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:51:c6:a5:dc:8a:f5:df:73:22:65:7e:f6:41:2a:
b6:98:10:fa:a8:b9:4a:a3:de:d5:f8:6f:90:b6:6f:
9f:f7:5c:20:3a:e3:14:39:56:c0:bd:63:03:07:a7:
cc:e8:0c:a5:48:5e:3c:60:6e:07:90:41:f7:7c:22:
c3:e3:cf:ef:01
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
04:05:56:17:3A:C8:91:25:DC:1B:3A:DE:08:D2:32:DC:62:85:F1:73
X509v3 Authority Key Identifier:
93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
Authority Information Access:
OCSP - URI:http://e6.o.lencr.org
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name: critical
DNS:phaa4padeen3iisah9eew9shuxoeshaezah4sheexudooh9eipatha3.lan.2v6.in
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://e6.c.lencr.org/79.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : CC:FB:0F:6A:85:71:09:65:FE:95:9B:53:CE:E9:B2:7C:
22:E9:85:5C:0D:97:8D:B6:A9:7E:54:C0:FE:4C:0D:B0
Timestamp : Mar 21 21:40:46.178 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:8F:CD:BE:63:E5:96:87:06:E4:F7:13:
9D:E6:29:D9:E9:C0:A0:D5:46:3F:3C:B1:E8:00:54:A6:
55:3B:BA:0F:F8:02:21:00:8F:01:45:0C:51:B8:BE:26:
D4:7B:6D:61:FD:09:78:8B:76:7F:EF:22:5E:7F:1A:E1:
07:1A:CE:5F:78:CB:7B:E8
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 13:4A:DF:1A:B5:98:42:09:78:0C:6F:EF:4C:7A:91:A4:
16:B7:23:49:CE:58:57:6A:DF:AE:DA:A7:C2:AB:E0:22
Timestamp : Mar 21 21:40:46.344 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:3A:BC:D0:F4:D9:3A:22:78:43:F8:87:72:
56:EA:6F:99:43:4F:F7:4A:72:FB:B7:C2:CC:B4:36:DB:
87:A0:4A:A2:02:20:32:EA:60:7E:98:9B:94:6E:01:BC:
51:3E:1B:64:18:9B:97:93:21:F4:33:F6:FD:42:4D:EC:
8F:41:64:24:9B:49
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:30:70:73:02:88:67:0c:0f:4a:a4:f1:10:c8:0e:0c:
1c:0c:11:e0:42:60:3d:de:0e:a8:cb:9e:be:4a:6a:2b:44:cb:
6b:d5:bb:38:07:d3:f8:ab:15:6a:5e:af:6a:a3:82:59:02:31:
00:db:09:c1:e0:87:57:19:fa:f4:33:4e:91:8c:1e:9e:4e:38:
65:d0:2b:e9:f4:bb:e5:60:65:e1:a8:db:44:f8:88:ab:ea:09:
a0:8a:fd:20:2e:3d:15:7f:6d:de:dd:d7:dd
A post was merged into an existing topic: Deleting certificates on updated systems throws an error
IIUC, according to the Baseline Requirements document linked by @danb35 the CN field must match a SAN entry:
If present, this attribute MUST contain exactly one entry that is one of the values contained in the Certificate’s
subjectAltNameextension […]
The tutorial may need to be updated to set CN=myserver.local or CN=myserver1.local.
Having said that, I agree that if the CN field value is not a reliable and unique hostname value, a different way to identify uploaded certificates is needed. If you find other cases where this limitation becomes a problem please report them!