Issue Certificate with for domain with single IDN character


My domain is: ᐁ.cc

I ran this command: openssl req -new -utf8 -sha256 -key ᐁ.cc/ᐁ.cc.key -subj / -config ᐁ.cc/ᐁ.cc.csr.conf -out ᐁ.cc/ᐁ.cc.csr

Contents of ᐁ.cc.csr.conf:

[ req_distinguished_name ]
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ v3_req ]

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Then I ran curl POST to

It produced this output: “policy forbids issuing for: \”

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian Wheezy

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Hi @FennyFatal,

Can you please share the generated CSR?

I would expect this part of the configuration to be punycoded like the CN you provided on the command line. (also, is the trailing ' character a copy-paste mistake?)


Yes, the trailing ’ character was a mistake.


I need to have the literal representation of the domain either in alias or in the CN, or many XMPP clients will reject the punycoded IDN. It is a requirement of the XMPP protocol that all references to a JID be sent as UTF8 over the wire.


Unfortunately I think this requirement will preclude using a certificate issued by a trusted root certificate authority. RFC 5280 defines how to put an internationalized name into a certificate’s distinguished name (e.g. Subject Alternate Name) in Section 7.3:

To represent a label from an IDN in the distinguished name, the implementation MUST perform the “ToASCII” label conversion specified in Section 4.1 of RFC 3490. The label SHALL be considered a “stored string”. That is, the AllowUnassigned flag SHALL NOT be set.

The net result is that Let’s Encrypt (and I believe any other CA compliant with the baseline requirements) won’t be able to issue a certificate with the unicode international domain represented literally as you say XMPP requires. I’m not familiar with the guts of XMPP to say what the best path forward is :frowning:

I hope you can figure something out. ᐁ.cc is an awesome domain name! :trophy:


I’ve created a test-csr with my local IIS. Then checked it online. Result:

Common name: ᐁ.cc

no alternate name.

Normally, I don’t use punycode-domains. But perhaps it works with CN=ᐁ.cc


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.