Issue Certificate with for domain with single IDN character

My domain is: ᐁ.cc

I ran this command: openssl req -new -utf8 -sha256 -key ᐁ.cc/ᐁ.cc.key -subj /CN=xn--xce.cc -config ᐁ.cc/ᐁ.cc.csr.conf -out ᐁ.cc/ᐁ.cc.csr

Contents of ᐁ.cc.csr.conf:

[ req_distinguished_name ]
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ v3_req ]

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=DNS:ᐁ.cc

Then I ran curl POST to https://acme-v01.api.letsencrypt.org/acme/new-cert

It produced this output: “policy forbids issuing for: \”

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian Wheezy

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @FennyFatal,

Can you please share the generated CSR?

I would expect this part of the configuration to be punycoded like the CN you provided on the command line. (also, is the trailing ' character a copy-paste mistake?)

Yes, the trailing ’ character was a mistake.

-----BEGIN CERTIFICATE REQUEST-----
MIICizCCAXMCAQAwFTETMBEGA1UEAwwKeG4tLXhjZS5jYzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAL7wZY0YnxGNkMJPLvzTsyeBN3ZNt3Uvvv43Y2EA
aRHN6xbs1pl69cc6dC1LeSCyzmCMTChQW0iIR9fyyr/OL5P0Fs2JN4UG9IYaAnib
WUJhtYBrt+RXb0bQ3Pit9ch9/BbHbvVoSteKzZa2TBEqEEXJlcAzMynPi0Q+Scor
caMIr6GBgt+/sCxwXV+CHueo67tkbBhKCFrFIIW+IYdvul+X/wxtZ0GErflZ8VFI
1NZnaNfEqcsNGil4omuuO5lNyiu0iNjgDFbqg6USlm1y/ifgc42YmyZhGEozeeN7
cb+iVZu3zS4KPtqbzoyezRveCcUOVlRoHPDpzPIpQO1UNXMCAwEAAaAxMC8GCSqG
SIb3DQEJDjEiMCAwCwYDVR0PBAQDAgXgMBEGA1UdEQQKMAiCBuGQgS5jYzANBgkq
hkiG9w0BAQsFAAOCAQEAa500naVHq/k0IGoLNMqJ42x5jAz1LpEb6GnQfkhYW3Lj
6oYKBljvDy8qjMVnM9ERl9VuB6JWF908nU5MtZGxaGrQQ0Jp7HTo0RHyPj2zuqQu
fBVzBJm76OCCOyU+vtaJFaYx9m2fhC4KMOjt+MH4YtUanL9H5eogFalrzQBgqNdf
2XTXlAabAG12MY9HXU7NZz0z+TLt881F2+ZIKjZBK5C7UOdLSeZf3PPT+kkjgLhh
NNAGu0dAp3EJUn14fRvMLWztrjjn6N98cDjtP9bSU71LqQp0rnVXTtjW99xp2kwS
bh07agQNiDkhA8T9OS2LBG11tgyS/iVEaH8H4j1OyA==
-----END CERTIFICATE REQUEST-----

I need to have the literal representation of the domain either in alias or in the CN, or many XMPP clients will reject the punycoded IDN. It is a requirement of the XMPP protocol that all references to a JID be sent as UTF8 over the wire.

Unfortunately I think this requirement will preclude using a certificate issued by a trusted root certificate authority. RFC 5280 defines how to put an internationalized name into a certificate's distinguished name (e.g. Subject Alternate Name) in Section 7.3:

To represent a label from an IDN in the distinguished name, the implementation MUST perform the "ToASCII" label conversion specified in Section 4.1 of RFC 3490. The label SHALL be considered a "stored string". That is, the AllowUnassigned flag SHALL NOT be set.

The net result is that Let's Encrypt (and I believe any other CA compliant with the baseline requirements) won't be able to issue a certificate with the unicode international domain represented literally as you say XMPP requires. I'm not familiar with the guts of XMPP to say what the best path forward is :frowning:

I hope you can figure something out. ᐁ.cc is an awesome domain name! :trophy:

1 Like

I've created a test-csr with my local IIS. Then checked it online. Result:

Common name: ᐁ.cc

no alternate name.

Normally, I don't use punycode-domains. But perhaps it works with CN=ᐁ.cc

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.