Are all the parts of the DN in a X.509 optional?
From RFC3280:
Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer and subject (section 4.1.2.6) names:
* country, * organization, * organizational-unit, * distinguished name qualifier, * state or province name, * common name (e.g., "Susan Housley"), and * serial number.
I could not find if any of these is mandatory.
I am asking because I am seeing a certificate that is signed by a trusted CA but in the issuer's field the CN is missing (and the C but I don't think that's important).
I was expecting that CN is mandatory. Is it?
Is there any security implications of the omission of theCN from the issuer's field?
As @Bruno says, there is no requirement in RFC3280 for an Issuer DN to have a CN. RFC3280 states:
The issuer field MUST contain a non-empty distinguished name (DN).
However, RFC3280 does not make any requirement on which RDN(s) should be present. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.
OU = Equifax Secure Certificate Authority,O = Equifax,C = US
Or this Verisign CA.
OU = VeriSign Trust Network,OU = "(c) 1998 VeriSign, Inc. - For authorized use only",OU = Class 3 Public Primary Certification Authority - G2,O = "VeriSign, Inc.",C = US
Path building and validation using RFC3280 does not require a CN in the Issuer DN.