Krátký úvod: Generování žádosti o certifikát k odeslání do CA

Viz Co je to CSR ?

Použití OpenSSL k generování CSR

Pozor, prosím:

Pokud v podstatě nezaručujete svoji společnost, nebude na Vašich certifikátech nic jiného, než commonNames a subjectAltNames, ostatní pole budou odstraněna!

Žádost o podání certifikátu

In order to request a server/SSL certificate for a domain you first have to register this domain. An email will be sent to a privileged address (postmaster, webmaster... @mydomain.net). Since this registration verifies nothing but the domain, certain restrictions apply to the fields of the certificate.

Example:

CommonName (cn): *.mydomain.net

also for advanced users, you can generate a single SSL cert for multiple domains and/or hostnames using subjectAltName, according to RFC 2818

Cert request (CSR) :

Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc.,
 CN=*.cacert.org/emailAddress=support@cacert.org
 /subjectAltName=DNS:*.cacert.org/subjectAltName=DNS:cacert.org

And the signed cert looks like:

Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc.,
 CN=*.cacert.org/emailAddress=support@cacert.org
 X509v3 Subject Alternative Name:
 DNS:*.cacert.org, othername:<unsupported>, DNS:cacert.org, othername:<unsupported>

More info on Virtual Hosts VHOSTS

Please feel free to see here for More info about Virtual Hosts & scripts to generate CSR

Technical notes :

What is subjectAltName ?

subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :

subjectAltName must always be used (RFC 2818 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.

subjectAltName and CAcert CSR parser

The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on View

According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...