Krátký úvod: Generování žádosti o certifikát k odeslání do CA
Viz Co je to CSR ?
Použití OpenSSL k generování CSR
Pozor, prosím:
Pokud v podstatě nezaručujete svoji společnost, nebude na Vašich certifikátech nic jiného, než commonNames a subjectAltNames, ostatní pole budou odstraněna!
Žádost o podání certifikátu
In order to request a server/SSL certificate for a domain you first have to register this domain. An email will be sent to a privileged address (postmaster, webmaster... @mydomain.net). Since this registration verifies nothing but the domain, certain restrictions apply to the fields of the certificate.
Example: CommonName (cn): *.mydomain.net
also for advanced users, you can generate a single SSL cert for multiple domains and/or hostnames using subjectAltName, according to RFC 2818
Cert request (CSR) : Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., CN=*.cacert.org/emailAddress=support@cacert.org /subjectAltName=DNS:*.cacert.org/subjectAltName=DNS:cacert.org And the signed cert looks like: Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., CN=*.cacert.org/emailAddress=support@cacert.org X509v3 Subject Alternative Name: DNS:*.cacert.org, othername:<unsupported>, DNS:cacert.org, othername:<unsupported>
More info on Virtual Hosts VHOSTS
Please feel free to see here for More info about Virtual Hosts & scripts to generate CSR
Technical notes :
What is subjectAltName ?
subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :
subjectAltName must always be used (RFC 2818 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.
subjectAltName and CAcert CSR parser
The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on View
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...
Further reading Multiple subjectAltName(s) in a CSR with OpenSSL