Free Trial
Contact Us

Knowledge Base

Knowledge BaseCertificates

What is the 64-Character Limitation on the Common Name (CN) Field in X.509 Certificates? 

Updated on March 2, 2026
 

Overview

This article provides a high-level explanation of the 64-character limitations imposed on the Common Name (CN) field in X.509 certificates and its role within public key infrastructure (PKI) standards and certificate issuance processes. 

 

Why the 64-Character CN Limitation Exists 

The 64‑character restriction on the Common Name (CN) field is derived from the ITU‑T X.520 standard. This standard defines the directory attributes used in X.509 certificates, including the CN field, and specifies that the Common Name attribute must not exceed 64 characters. As a result, most Certificate Authorities (CAs), browsers, and certificate-generation tools enforce this limitation to maintain compliance and interoperability. 

 

Key Components 

Standards That Define or Reinforce the Limitation 

  • ITU-T X.520 Standard 
    Defines the Common Name attribute with a maximum size of 64 characters. Although the standard is not freely accessible, its rules are reflected across industry tools and CA implementations. 

  • RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile 
    RFC 5280 profiles the X.509 certificate for use on the internet and incorporates X.520 attribute definitions, including the CN length restriction. 
    Relevant section: 4.1.2.4 – Subject Field 
    Link: https://datatracker.ietf.org/doc/html/rfc5280 

Additional Confirming Sources 

 

Use Cases 

The 64-character limitation is relevant when: 

  • Generating X.509 certificates where domain names or identifiers exceed standard lengths. 

  • Ensuring compatibility across legacy and modern systems that validate CN fields. 

  • Designing certificate issuance processes for complex or long hostnames (e.g., deeply nested subdomains). 

 

Practical Implications 

  • Certificate Generation: 
    Most certificate-generation systems reject CSRs with CN values for longer than 64 characters. 

  • Client Compatibility: 
    Even if a certificate with a longer CN is created, many systems—including browsers and enterprise clients—may reject it. 

 

Workarounds and Alternatives 

Subject Alternative Name (SAN) Extension 

  • Recommended modern approach. 

  • Allows multiple DNS names. 

  • Not bound by the 64-character CN limit. 

Omitting the CN Field 

  • Increasingly common practice. 

  • All hostnames are supplied via SANs. 

  • Avoids CN length issues and remains at standards compliant. 

Wildcard Certificates 

  • Useful when dealing with domains that have extremely long subdomains. 
    (e.g., *.example.com instead of a long fully qualified hostname) 

 

Important Considerations 

  • Legacy Compatibility: 
    Some older systems still rely on CN matching. Including both CN and SAN ensures maximum compatibility. 

  • CA/Browser Forum Guidance: 
    Modern validation is moving toward SAN-only checks. CN usage is being deprecated. 

  • Future Trends: 
    Browser vendors (e.g., Google Chrome) plan to remove CN matching entirely, making SAN the authoritative field for domain identity. 

 

Recommendation 

To ensure compatibility and align with modern best practices: 

  • Use the SAN extension for all domain identities. 

  • Include a shortened CN when backward compatibility is required. 

  • Omit the CN entirely if its length is problematic and your systems support SAN-only validation. 

  • Test across all target systems to ensure the certificate is accepted and behaves as expected. 

 
Related Articles:
Tags:

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources