How to create SSL certificate with CSR and KEY self-created with very long CN?

tanquang · June 30, 2020, 7:18pm

I am using this website to generate KEY and CSR for me: https://www.ssl.com/online-csr-and-key-generator/
I want to create CSR and KEY with the following information:

Common Name (CN): yidongku.xx.xx, *.yidongku.xx.xx, filehosting.xxxxx.xx, *.filehosting.xxxxx.xx, rapidfire.xxx.xx, *.rapidfire.xxx.xx, send-to-space.xx.xx, *.send-to-space.xx.xx, woshare.xx.xx, *.woshare.xx.xx, summerfall.xxx.xx, *.summerfall.xxx.xx, meocuoisaochoi.xxx.xx, *.meocuoisaochoi.xxx.xx, cloudrive.xxx.xx, *.cloudrive.xxx.xx
Organization (O): My Company Co., Ltd.
Country (C): VN
Hashing Algorithm: SHA-256
Signing Algorithm: ECDSA
Key Size: 256

That website created me CSR and KEY, I used SSLForFree.co to create a certificate for me, I checked “I Have My Own CSR” then paste the CSR generated from the website and click “Download SSL Certificate”.
After a while, I received the error message:

{ "type": "urn:ietf:params:acme:error:badCSR", "detail": "Error finalizing order :: CN was longer than 64 bytes", "status": 400 }

The CN is very long, up to 318 characters. However, I don’t want to split it to register into multiple certificates, it is very inconvenient to renew.
Therefore, I would like to ask is there any way to register SSL certificate with CSR self-created and CN very long?
Thanks for any of your help!

JuergenAuer · June 30, 2020, 7:21pm

Hi @tanquang

please read your error message. Max. CN = 64 bytes.

PS: Looks like your definition is wrong. CN=one name. If your certificate should have additional domain names, you need a SAN list.

It's wrong to add more then one domain name (comma separated) in the CN field.

tanquang · June 30, 2020, 7:34pm

I know, so I want to know if there is any solution to help me “bypass” the 64-character limit? Separating them from multiple registrations is very annoying, the renewal also takes a lot of time and I’m worried my domain name and IP will be limited.
I tried using *.summerfall.xxx.xx only in CN and I got the error:

{ "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Error finalizing order :: Order includes different number of names than CSR specifies", "status": 403 }

orangepizza · June 30, 2020, 7:44pm

CN will only parsed as single name by browser even if it’'s shorter then 64charactor.
you put on all the names in SAN extension (you need to do this anyway, as let’s encrypt reject if csr 's CN doesn’t included in it’s SAN extension.
if you better to let client write CSR for you. as LE only do DV certificate, your Organization and country name will be droped.

danb35 · June 30, 2020, 10:47pm

But OP isn't using LE; he's using sslforfree.com (which uses a different CA). So he shouldn't be posting here at all.

Topic		Replies	Views
SSL for very-long named domain Feature Requests	3	3565	March 23, 2019
Certbot errors with `Obtaining a new certificate An unexpected error occurred: The CSR is unacceptable (e.g., due to a short key) :: Error finalizing order :: issuing precertificate: CSR doesn't contain a SAN short enough to fit in CN` Help	4	4808	December 4, 2019
A certificate for a 63-character domain Help	6	10121	December 30, 2018
Questions re: Simplifying Issuance for Very Long Domain Names Issuance Policy	36	1993	December 28, 2023
An unexpected error occurred. Please help Help	14	965	March 20, 2023

How to create SSL certificate with CSR and KEY self-created with very long CN?

Related topics