Do you support OpenNIC top level domains?

Related to the questions about “new” and internationalized TLDs I’d like to ask: Do you support OpenNIC TLDs?

Obviously this depends on what DNS server you use and whether you want to include support for such domains too.


That’s an interesting question. I hadn’t seen OpenNIC before! Looks like a cool project.

I’m fairly certain we cannot issue to domains under TLDs recognized by OpenNIC but not by ICANN. Here are the relevant sections of the Baseline Requirements:

Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.

Prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016.


Oh, still nice to hear that. :smiley:

I know this is an old post but is there any information on this ? if it was to be reviewed last october what is the curent state

Not reviewed, eliminated. The practice of issuing for names that aren’t part of the Internet DNS (which would include OpenNIC and anybody else having fun making up their own names) was eliminated from the Web PKI. The October 2016 deadline was for existing certificates for such “internal” names to be revoked. My work through December / January included identifying a handful of missed cases which were revoked then.


so is there any update? will let’s encrypt try to support opennnic? this would be amazing!

I think you misinterpretted @rugk’s post. As @tialaramex pointed out as a CA participating in the web PKI under the baseline requirements from the CA/Browser forum Let’s Encrypt can not support OpenNIC domains. This isn’t a Let’s Encrypt limitation but a decision made by the broader web PKI community.

Hope that helps clear things up!

I would think it would be useful for OpenNIC to start its own CA that is name-constrained or at least publicly committed by policy to issue only for OpenNIC TLDs. Then documentation for using OpenNIC as a client could include instructions to add OpenNIC’s root certificate, not just change DNS settings. They could, of course, use ACME and Boulder to make this process relatively easy for web site operators who want to use OpenNIC TLDs.

It might be a little tough to integrate this with Certificate Transparency because mainstream logs will probably not accept logging from a non-browser-approved root for non-ICANN names, which would also then be a problem when CT becomes mandatory (although I guess manually-added roots will still be exempted then).