Mobile app version of vmapp.org
Login or Join
Chiappetta492

: For an international domain name with non-ASCII characters, what goes into the CSR's CN field? Suppose I control the international domain name (IDN) münchen.example.com (xn--mnchen-3ya.example.com).

@Chiappetta492

Posted in: #CertificateGeneration #Https #Idn

Suppose I control the international domain name (IDN) münchen.example.com (xn--mnchen-3ya.example.com).

Now, I want to get a SSL certificate for this domain name to enable HTTPS for my web site. I have decided which CA to use, I've jumped through all the necessary initial hoops as far as they are concerned, and I'm all but ready to send in a certificate signing request. There is only one small matter left to clear up:

Given that the FQDN has multiple possible representations, what, exactly, goes into the certificate signing request (CSR)'s Common Name (CN) field?


The Unicode domain name (or rather fully-qualified host name)? (In which case, using what Unicode encoding? UTF-8, to maintain ASCII binary compatibility?)
The Punycode-encoded fully-qualified host name?
Something else? (What?)
CA-dependent?


Bonus points for answers that also address web browser compatibility with the described scheme.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Chiappetta492

2 Comments

Sorted by latest first Latest Oldest Best

 

@Cooney921

As I came across the same problem I did some research and found the following:


Common name in the CSR code needs to be of a certain format. General requirements are latin alphanumeric characters and no special symbols like ! @ # $ % ^ ( ) ~ ? > < & / , . " ' _ More peculiarities are described here for your reference. IDN (International Domain Names) common names should be first converted into the punycode, and then indicated in the CSR.


Source: helpdesk.ssls.com/hc/en-us/articles/204299792-How-to-make-sure-domain-is-correct-in-the-CSR-

Step 1: Convert your International Domain Name (IDN)

Using the IDN Conversion Tool, convert your International Domain Name (IDN) into ASCII characters


Source: search.thawte.com/support/ssl-digital-certificates/index?page=content&id=INFO3118
Though I didn't see any explicit mentioning, my guess is if your browser supports IDN Domains for URLs, the certficates should work as well.

;TLDR - use the ascii encoded domain like: xn--cjs.com

10% popularity Vote Up Vote Down


 

@Sims2060225

The Common Name is typically composed of Host + Domain Name and will look like "www.yoursite.com" or "yoursite.com". SSL Server Certificates are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. For example, a SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", as "www.domain.com" and "secure.domain.com" are different from "domain.com". You would need to create a CSR for the correct Common Name. When the Certificate will be used on an Intranet (or internal network), the Common Name may be one word, and it can also be the name of the server.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme