ERROR: Subject with organizationName but without stateOrProvince or localityName

[WilsonKathleen]

In regards to ERROR: Subject with organizationName but without stateOrProvince or localityName

It was not clear to me where this requirement comes from in https://tools.ietf.org/html/rfc5280 Would you please point me to that?

Also, does this apply to root certificates?

I get this error when running x509lint on the following root cert via crt.sh. organizationalUnitName = AC RAIZ FNMT-RCM organizationName = FNMT-RCM countryName = ES SHA-256(Certificate) EBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA SHA-1(Certificate) EC503507B215C4956219E2A89A5B42992C4C2C20

[robstradling]

Hi Kathleen. This requirement comes from the BRs, not RFC5280. See https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf section 7.1.4.2.2.e and 7.1.4.2.2.f.

I'm not sure if (some or all of) 7.1.4.2.2 is meant to apply to root certificates. Reading from "7.1.4 Name Forms", it initially seems to me like this section is meant to apply to all in-scope certs (end-entity, intermediate and root). But if that's true, then 7.1.4.2.1 requires all root and intermediate certs to contain the Subject Alternative Name extension...which doesn't make sense.

[kroeckx]

This is a requirement from the BRs, not RFC5280. See 7.1.4.2.2 e and f. Those sections apply to all certificates.

[kroeckx]

I already make a special exception for SANs that it only applies to subscriber certificates.

[WilsonKathleen]

OK. Thanks.

I added a row about this error to https://wiki.mozilla.org/CA:TestErrors#CA.2FBrowser_Forum_Baseline_Requirements_Errors

[kroeckx]

So is this something I can close for now?

[WilsonKathleen]

Yes. Thanks.