Allow multiple entries without a Subject even if unique_subject == yes

It is quite likely for there to be multiple certificates with empty subjects, which are still distinct because of subjectAltName. Therefore we allow multiple certificates with an empty Subject even if unique_subject is set to yes. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5445)
author: Matt Caswell <matt@openssl.org> 2018-02-23 19:48:11 +0000
committer: Matt Caswell <matt@openssl.org> 2018-03-15 13:34:57 +0000
commit: dacdc5fe526d5b838f51711ba602d375159e488a (patch)
tree: 7f7b4248a30fa26870236e0d7bce11d38f9ee93a /doc
parent: 50615b3c969d1cc2d4beb09f141c678bfe06382b (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index cc26bf48a3..8d94ecb461 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -424,6 +424,10 @@ versions of OpenSSL.  However, to make CA certificate roll-over easier,
 it's recommended to use the value B<no>, especially if combined with
 the B<-selfsign> command line option.
 
+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate.
+
 =item B<serial>
 
 a text file containing the next serial number to use in hex. Mandatory.
author	Matt Caswell <matt@openssl.org>	2018-02-23 19:48:11 +0000
committer	Matt Caswell <matt@openssl.org>	2018-03-15 13:34:57 +0000
commit	dacdc5fe526d5b838f51711ba602d375159e488a (patch)
tree	7f7b4248a30fa26870236e0d7bce11d38f9ee93a /doc
parent	50615b3c969d1cc2d4beb09f141c678bfe06382b (diff)