Domain Control Validated

Is there any way to generate a cert from Let’s Encrypt that has the OU = Domain Control Validated option?
Our Cert for our SSL VPN needs renewing but every time I generate a certificate it doesn’t have this information available, and I believe that this causing the issue when users are trying to log onto the VPN.
Is this possible?

I think it need to be empty for DV certs?

I don’t know - the only differences that I can see are that the old cert that worked has OU = Domain Control Validated in it and the one that doesn’t work, doesn’t.

Hi @AngryDog

Letsencrypt ignores these additional fields.

So these fields are always empty.

I don't think that's the reason.

1 Like

Thanks Jan, I think you’re right.

Let’s Encrypt certificates are always domain control validated, but they don’t advertise this via the OU field. (Instead, the validation is described in various documents on the https://letsencrypt.org/ site.)

1 Like

Another way to tell we issue domain validated certificates is by noticing the presence of the 2.23.140.1.2.1 policy OID in the x509 v3 Certificate Policies extension. Example:

$> openssl s_client -connect binaryparadox.net:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A2 "Certificate Policies"
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1

You can match the 2.23.140.1.2.1 OID to the CABF OID registry: https://cabforum.org/object-registry/

Under the Baseline Requirements, additional OIDs adopted by the CA / Browser Forum are:

  • domain-validated(1) => (2.23.140.1.2.1) (Compliant with Baseline Requirements – No entity identity asserted)
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.