I saw in RFC 4514 that it specifies that the Distinguished Name must support the following short names.
CN commonName (2.5.4.3) L localityName (2.5.4.7) ST stateOrProvinceName (2.5.4.8) O organizationName (2.5.4.10) OU organizationalUnitName (2.5.4.11) C countryName (2.5.4.6) STREET streetAddress (2.5.4.9) DC domainComponent (0.9.2342.19200300.100.1.25) UID userId (0.9.2342.19200300.100.1.1)
As we can see, the short name "emailAddress" is not included. So I would like to ask if RFC 5280 specifies "emailAddress" as one of the short names that must be supported in a Distinguished Name?
RFC 5280 doesn't require to support Email component (1.2.840.113549.1.9.1). However, RFC makes the following note (§4.1.2.4):
As noted above, distinguished names are composed of attributes. This specification does not restrict the set of attribute types that may appear in names. However, conforming implementations MUST be prepared to receive certificates with issuer names containing the set of attribute types defined below. This specification RECOMMENDS support for additional attribute types.
This quote has several implications:
In reality, Email RDN is widely supported by many RFC 5280 implementation because this attribute was used by S/MIME-capable applications, such as email clients and servers. Though, it is worth to mention that Email attribute inclusion or omission in Subject field may have no effect when certificate contains SAN extension. DirectoryName ASN.1 type natively supports rfc822Name name type for email addresses. That is, when email must be included in a certificate, it MUST be populated in SAN extension. Optionally (not required), it can be duplicated in Subject field.