Notary requires an X509 cert's common name to match the GUN exactly, but the length of a common name is restricted to 64 chars

[dnwake]

In order to be valid, Notary requires that any cert must have a common name that matches the GUN. See https://github.com/docker/notary/blob/master/trustpinning/certs.go#L178

However, RFC3280 imposes a maximum length of 64 characters on the common name of an X509 certificate. See https://www.ietf.org/rfc/rfc3280.txt (search for ub-common-name).

When using Notary with Docker, it is easy to end up with a GUN that is longer than 64 characters (e.g. "my_docker_registry.somedomain.com/my_docker_repo_part_1/my_docker_repo_part_2")

While Notary's own internal certificate-generating code may not enforce this limit, it is enforced by third-party tools such as openssl. This is a big problem for anyone planning to generate their own certificates and then import them into Notary (see #821)

[riyazdf]

Thank you @dnwake for pointing this out! I'm going to link this issue to #883 since it's similar in nature, but different

[dnwake]

For the benefit of future people running into this problem, I've found that the certtool command (supplied as part of the gnutls-utils package) ignores the 64 character limitation, so can be used as a workaround.

[endophage]

Having merged wildcard CNs and there being workarounds, I'm going to close this. We don't have any specific action items to address GUN name length. Please re-open or file an issue with specific action items if more is needed.