Create a certificate with custom SAN

I have a request from the security team to create a certificate and add a custom SAN the san is URI:egw://serverName.domainName/path.

I create a config and use OpenSSL to create the CSR

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address

[ req_ext ]
subjectAltName = @alt_names

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
URI.1 = egw://serverName.domainName/path

I sent the request to Letsencrypt using the command bellow

certbot certonly --manual --preferred-challenges=dns --csr exemplo.csr

The certificate was created but not with the URI in the SAN but with DNS.

Is there a way to add the SAN URI: egw://serverName.domainName/path ?

In short, no. The only names that can appear in that list are domain names validated by a supported ACME Challenge. These are DV validated certs following the acme standards.

URI SANs are not supported.

The Baseline Requirements all publicly trusted CAs must follow only permit DNS Names and IP addresses in certificates: https://cabforum.org/uploads/CA-Browser-Forum-TLS-BRs-v2.0.2.pdf#page88

Nowhere?
[did I read that out-of-context?]

Oh, I should say, URI SANs are not supported in the publicly trusted web pki, which includes Let's Encrypt and any other CA trusted by Chrome/Apple/Microsoft/Mozilla for websites.

(In fact, before Let’s Encrypt I worked on a private PKI system built around URI SANs called SPIFFE)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.