Short Intro : Generating a Certificate Request to Send to a CA

see what is a CSR ?

Using OpenSSL to generate a CSR

Your attention please :

Basically unless you assure your company nothing else except for commonNames and subjectAltNames will appear on your certificate, the other fields are removed

Certificate Submit Request

In order to request a server/SSL certificate for a domain you first have to register this domain. An email will be sent to a privileged address (postmaster, webmaster... @mydomain.net). Since this registration verifies nothing but the domain, certain restrictions apply to the fields of the certificate.

Example:

CommonName (cn): *.mydomain.net

also for advanced users, you can generate a single SSL cert for multiple domains and/or hostnames using subjectAltName, according to RFC 2818

Cert request (CSR) :

Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc.,
 CN=*.cacert.org/emailAddress=support@cacert.org
 /subjectAltName=DNS:*.cacert.org/subjectAltName=DNS:cacert.org

And the signed cert looks like:

Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc.,
 CN=*.cacert.org/emailAddress=support@cacert.org
 X509v3 Subject Alternative Name:
 DNS:*.cacert.org, othername:<unsupported>, DNS:cacert.org, othername:<unsupported>

More info on Virtual Hosts VHOSTS

Technical notes

What is subjectAltName ?

subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :

subjectAltName must always be used (RFC 2818 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.

subjectAltName and CAcert CSR parser

The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on View

According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...


FAQ/SubmitCsr (last edited 2015-12-01 19:12:04 by AlesKastner)