We are switching from using X509V3CertificateGenerator to the new X509v3CertificateBuilder class. It insists on having an X500Name object for the subject, and throws an NPE if it's null. In our case, we want a null subject and will be using the SubjectAlternativeName (marked critical) as an alternative, which the specification allows.
How do we make an empty X500Name object to pass in to the builder's constructor?
Found it.
new X500Name(new RDN[0])