CSR for SAN cert


#1

Hi

I need to generate multi-domain wildcard certificate for domains *.domain1.com and *.domain2.com. I’m not sure how CSR should look. Should it have Common Name field filled, and with what value? I’m having problems finalizing an order. In particular, I’m using Certes client.

TIA
Ivan


#2

Hi,

You should at least set one domain in the common name fields…

and all domains you wish to include listed in Subject Alternative Names field…

Please Note that if you also want to secure the root domain, you will also include that in the CSR (since wildcard does not include root domain)

Thank you

P.S. Here’s a sample CSR: (Only domains are actually required & need to be precise, since LE only provide DV certificate)

  • ----BEGIN CERTIFICATE REQUEST-----
    MIIDOzCCAiMCAQAwgZ8xFTATBgNVBAgMDFNhbXBsZSBTdGF0ZTELMAkGA1UECwwC
    SVQxJTAjBgkqhkiG9w0BCQEWFmR1bW15ZW1haWxAZXhhbXBsZS5jb20xCzAJBgNV
    BAYTAlVTMRcwFQYDVQQKDA5TYW1wbGUgQ29tcGFueTEWMBQGA1UEAwwNKi5leGFt
    cGxlLmNvbTEUMBIGA1UEBwwLU2FtcGxlIENpdHkwggEiMA0GCSqGSIb3DQEBAQUA
    A4IBDwAwggEKAoIBAQClVHQQ6RVpS3nDImyFs2M/8XDiXvj8iWgokrir6trqW4dY
    kjU8pVxITQ48RMWh9IixxXWoUZC/Lz01ShcI78Pmq1hJlRzj8AeZypZtYUfuNQNE
    b86t4ARhlQXDQ7BUn1Q4agoH/lrQMn4tPKgPzM95R6QqLeqfSQOUmccpBTgJLo0P
    dM/YL8ES8lhYkABJM6/xHXdLaCqMjeB7+wNBBrItIUx+sMg0+bDCb4FbsbaqqF3Z
    pk2YkbISIQhAkb6jWmg8BqTBovOni/3CPFv89NN+/NAtDdBoV3Y6EgPLoyMsBHKu
    Xt8SscL2Oc+o1jt64WGlpMjfiVL9A7skrdztQuRzAgMBAAGgVjBUBgkqhkiG9w0B
    CQ4xRzBFMEMGA1UdEQQ8MDqCDSouZXhhbXBsZS5jb22CDiouZXhhbXBsZTEuY29t
    ggtleGFtcGxlLmNvbYIMZXhhbXBsZTEuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB3
    SsopjmBnEEFPpdJ1azfElngu6ym4MvHBJm7m7NpT57wAtE9Nca4lC4Mf6O5h+AuH
    RoYtOlDHF30MvULjWwnJpxFLIb/o1PqF34cUJclBfAhyE6Qr6OxSZkTrCznNyzBl
    o+tKG7Ul19BGq+UifweNjFX7M2IkvXHBLU0nICAi2X0P1l2lrpHuw/9GybhcAPPq
    FKvR5vX30r+tWeGlkU4EgohdVmFwW3dkeJUlQtyXHGWfm2Jh54oMeemvatwfMxMg
    X2fU988XjvvWgROikbfSW77/8uGVHdaxvwAYnpSnkrXauAJ1ixSXJQA/Eh+siNCX
    BvZ1zJg9wzxm817V7dpa
    -----END CERTIFICATE REQUEST-----

#3

I think this is now optional from the CA’s perspective; maybe @cpu could confirm this?


#4

That’s true…

However, when generating CSRs, it’s better to control what host is being displayed on common name field…

P.S. On the go system’s certificate doesn’t have a hostname on common name
Just Mutli-Domain certificate


#5

Thanks everyone. I found nice feature in the Certes’ API that generates CSR from LE order. Under the hood the feature is doing exactly what you suggested, it sets CN = one of a wildcard domains and sets Subject Alt Name = a list of all wildcard domains.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.