česky | english
Short Intro : Generating a Certificate Request to Send to a CA
What is a CSR ?
Your attention please :
Basically unless you assure your company nothing else except for commonNames and subjectAltNames will appear on your certificate, the other fields are removed
Certificate Submit Request
In order to request a server/SSL certificate for a domain you first have to register this domain. An email will be sent to a privileged address (postmaster, webmaster... @mydomain.net). Since this registration verifies nothing but the domain, certain restrictions apply to the fields of the certificate.
Example: CommonName (cn): *.mydomain.net
also for advanced users, you can generate a single SSL cert for multiple domains and/or hostnames using subjectAltName, according to RFC 2818
Cert request (CSR) : Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., CN=*.cacert.org/emailAddressfirstname.lastname@example.org /subjectAltName=DNS:*.cacert.org/subjectAltName=DNS:cacert.org And the signed cert looks like: Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., CN=*.cacert.org/emailAddressemail@example.com X509v3 Subject Alternative Name: DNS:*.cacert.org, othername:<unsupported>, DNS:cacert.org, othername:<unsupported>
More info on Virtual Hosts VHOSTS
Please feel free to see here for More info about Virtual Hosts & scripts to generate CSR
Server Name Indication (SNI) in MS IIS8 and MS IIS8.5: Multiple Certificates Using SNI
What is subjectAltName ?
subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :
subjectAltName must always be used (RFC 2818 188.8.131.52, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.
subjectAltName and CAcert CSR parser
The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on View
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...
Further reading Multiple subjectAltName(s) in a CSR with OpenSSL