Suggested by @tarcieri. This would enable CommonName to be omitted from a certificate. However, before exposing this in x509::write::tbs_certificate (making either issuer or subject optional), we should ensure that we are still generating valid certificates. It appears that an empty Subject is valid under RFC 5280, but is not guaranteed to be compatible (and e.g. a non-empty CN is currently required under CA/B rules).

As specified in section 4.2 of RFC5280, the value of an extension should be an OCTET STRING wrapping the DER-encoded OCTET STRING of the actual value of the extension (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2).

Currently, the x509 crate writes the DER-encoded value directly, without the wrapping OCTET STRING.

I'll PR a change shortly.

Example of correct cert (using SO's TLS cert, look at the Subject Key Identifier):
-----BEGIN CERTIFICATE-----
MIIG9DCCBdygAwIBAgISA8DYut7wo8SXZw8vWUxBoRJBMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MTUxMzA3MzRaFw0yMTExMTMxMzA3MzJaMB4xHDAaBgNVBAMM
Eyouc3RhY2tleGNoYW5nZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDn0tiB4v6DOp+5qNQD6VbHE1Hs9VBOxOl2gMOt4wJEB8DjuW/0fgrhDo+N
xstje4QENhdrF9Ag4HHId4zeXksVM8VztsfeIZxWQpuk/Zqi/Tzr3de0qB20F4oo
se3nX9mswBA+mI9/L3SPq+BkCXb0LMVOu1Wfk1TQ/NNzUHXtr3z5Nt7TzDB3vp/V
A0zzzTtIy4GoYoAllAuMWBm4OJMrviFbvzcmzbvqESGnr9+CTZA/9TL2R0QwA+gb
Es2baX7RWe1qYKD7usC6dxMSzrmR4ukI5wqmSQErRx/eygw5RgX2Wkk29t8e2ZQh
YWDFH4KI7MfJsP/o4YYILtsMH45tAgMBAAGjggQWMIIEEjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFEqp8UV9sl+gsvzEJBIh/QpD9k+XMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIIB5AYDVR0RBIIB2zCCAdeCDyouYXNrdWJ1bnR1LmNvbYISKi5ibG9n
b3ZlcmZsb3cuY29tghIqLm1hdGhvdmVyZmxvdy5uZXSCGCoubWV0YS5zdGFja2V4
Y2hhbmdlLmNvbYIYKi5tZXRhLnN0YWNrb3ZlcmZsb3cuY29tghEqLnNlcnZlcmZh
dWx0LmNvbYINKi5zc3RhdGljLm5ldIITKi5zdGFja2V4Y2hhbmdlLmNvbYITKi5z
dGFja292ZXJmbG93LmNvbYIVKi5zdGFja292ZXJmbG93LmVtYWlsgg8qLnN1cGVy
dXNlci5jb22CDWFza3VidW50dS5jb22CEGJsb2dvdmVyZmxvdy5jb22CEG1hdGhv
dmVyZmxvdy5uZXSCFG9wZW5pZC5zdGFja2F1dGguY29tgg9zZXJ2ZXJmYXVsdC5j
b22CC3NzdGF0aWMubmV0gg1zdGFja2FwcHMuY29tgg1zdGFja2F1dGguY29tghFz
dGFja2V4Y2hhbmdlLmNvbYISc3RhY2tvdmVyZmxvdy5ibG9nghFzdGFja292ZXJm
bG93LmNvbYITc3RhY2tvdmVyZmxvdy5lbWFpbIIRc3RhY2tzbmlwcGV0cy5uZXSC
DXN1cGVydXNlci5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE
BgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG
jbIImjfZEwAAAXtKI6GwAAAEAwBHMEUCIQDzAvPNSd9pkw4ltufhkQYe7dtuGGpM
vJKpcxVE/EBQBAIgPE76BeIursp6nH68ScndfOBQcFP9cWtt67GaWG8UIvgAdgB9
PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXtKI6GtAAAEAwBHMEUC
IGb5JIi5eKssL2hT7vcYhta+Rg4GiwlvGvH7q/oo186rAiEAls+YZkVezUxcrUwK
XMw7Nz2EZx4+dU7WcT2YLUFo74QwDQYJKoZIhvcNAQELBQADggEBAI+QUfE/pcxz
Zw6e1XKcamc90v5JFP5gMSn4AHgAHfNeW6lU7RFJ3X7iXFoCX/h1GxaO8TMEW2MA
JxXE92Wqga/fByVidzvP01kuYOJhtk8vCQJ6fm4QM+/PrvCuM3AYH45wy9MLVchp
tvlCOTkFwl+qVUVpHORZwpt9IzZ3dnDPN+wtRhc9cS7HfTZhgbfbYSJnOcOdIoxL
HTtD+tHa4VJ9/HFpgneb145uw+A7k0QGd8gcphf87ms9IcNXp7b8qWKO5DmGttyr
SPhFQeLsyHeid6zEYfYwTHgRmBG/FDYqKkcYNR6b+3eGVs4b5O1jmu9cDuvP5hVX
6tallFt1cfk=
-----END CERTIFICATE-----

Example of cert outputted by the x509 crate (unwrapped subject key identifier):
-----BEGIN CERTIFICATE-----
MIIBETCBxKADAgECAhUAmjF5hH2bvRNLfEhFPze3FvlalaAwBQYDK2VwMBIxEDAOBgNVBAMMB3Bh
dXdlbHMwHhcNMjEwOTAzMTExMTMwWhcNMzEwMTAxMDAwMDAwWjASMRAwDgYDVQQDDAdwYXV3ZWxz
MCowBQYDK2VwAyEAKJtKEGW9dH6IQHi2nt/iLR24Sh5Y6s6k4vpFph5gJsujKzApMCcGA1UdDgQg
cKTUcN2KZBWIR8OdTERjtNV+O1x2/+yU8HZd+oEIfKowBQYDK2VwA0EA5qYginD6hbO+vLIGNoPz
e756W0/xncApoOSLM53ou885YoleSEsfAeb0tNxB8/1b0dOKypVISijKwj4GRpZXCQ==
-----END CERTIFICATE-----

I use this to compare:
https://lapo.it/asn1js/

Hi, I'm the author of the crate x509-parser (and also cookie-factory), and have also added some serialization support in der-parser. I noticed your crate, and see many similarities with what I'm willing to add to x509-parser.

What do you think of merging some efforts or code?