## page was renamed from SubmitCsr ## 20200110 AK ---- [[FAQ/SubmitCsr/CZ|Ĩesky]] | '''english''' ---- = Short Intro : Generating a Certificate Request to Send to a CA = See also: * What is a [[CSR]] ? * [[HowTo/CertP10toBase64Coding|What if my generated CSR has the P10 (.p10) format ?]] * [[HELP/4|Using OpenSSL to generate a CSR]] * [[TutorialsHowto/Generate-new-CSR|Use CAcert's new CSR generation tool to create a CSR in your browser]] == Your attention please : == '''Basically unless you [[OrganisationAssurance|assure your company]] nothing else except for commonNames and subjectAltNames will appear on your certificate, the other fields are removed''' == Certificate Submit Request == In order to request a server/SSL certificate for a domain you first have to register this domain. An email will be sent to a privileged address (postmaster, webmaster... @mydomain.net). Since this registration verifies nothing but the domain, certain restrictions apply to the fields of the certificate. {{{ Example: CommonName (cn): *.mydomain.net }}} also for advanced users, you can generate a single SSL cert for multiple domains and/or hostnames using subjectAltName, according to [[http://www.faqs.org/rfcs/rfc2818.html|RFC 2818]] {{{ Cert request (CSR) : Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., CN=*.cacert.org/emailAddress=support@cacert.org /subjectAltName=DNS:*.cacert.org/subjectAltName=DNS:cacert.org And the signed cert looks like: Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., CN=*.cacert.org/emailAddress=support@cacert.org X509v3 Subject Alternative Name: DNS:*.cacert.org, othername:, DNS:cacert.org, othername: }}} == More info on Virtual Hosts VHOSTS == * Please feel free to see here for [[VhostTaskForce|More info about Virtual Hosts & scripts to generate CSR]] * Server Name Indication (SNI) in MS IIS8 and MS IIS8.5: [[https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm#multiple|Multiple Certificates Using SNI]] == Technical notes == === What is subjectAltName ? === subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) : subjectAltName must always be used (RFC 2818 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones. === subjectAltName and CAcert CSR parser === The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on [[https://www.cacert.org/account.php?id=9|View]] According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)... * Further reading [[FAQ/subjectAltName|Multiple subjectAltName(s) in a CSR with OpenSSL]] ---- . CategoryCommunity . CategoryConfiguration . CategoryGuide . CategorySoftware . CategorySupport