Missing Common Name on mTLS certificates issued by Citadel


We configured Citadel with an external CA Key/Cert as described in https://istio.io/docs/tasks/security/plugin-ca-cert/. One of the things that we noticed was the Certificate does not have the regular 'Common Name' field. Instead the identity of the Service (SPIFFE) is present on the Subject Alternate Name (SAN) on the certificate.

We can see this even on the example listed here: https://istio.io/help/ops/security/keys-and-certs/

When researching more on this, came across the list of all Citadel supported config flags here: https://istio.io/docs/reference/commands/istio_ca/, and one of them specifically related to Common Name is '--experimental-dual-use'. As per the documentation, setting this flag will enable the mTLS certificate to also have the 'Common Name' in addition to the SAN.

Few queries related to this:
1. Is there any reason why SAN and not Common Name is populated and used by default? Given that each mTLS certificate will have only one identity corresponding to a Service Account, why is SAN and not Common Name being used as the primary identifier?
2. The attribute to enable Common Name generation '--experimental-dual-use') seems to be experimental. Is there any reason for it being experimental, and could it be potentially removed from future releases of Istio?

    Istio version tested this on: v1.1.7


I can answer question 1:

The SPIFFE specification on X.509 mandates the use of a URI SAN as the place to store the SPIFFE ID. SPIFFE-compatible implementations will look for it there, and not in the Common Name.

Note that the use of the Common Name for DNS names is deprecated and discouraged by RFC 6125, and there is no established practice for using Common Names for URIs that I’m aware of.