1

I am moving my app into production and need help in generating CSR. I created a private key and followed these steps:

  1. Created private key
  2. Entered passphrase for it (openssl genrsa -des3 -out domainname.key 1024)
  3. Created CSR (openssl req -new -key domainname.key -out domainname.csr)
  4. In the CSR, I entered all the info. Common name was in format: XX.XXX.XXX:3000, where X is number.

Finally, I generated the CSR, but at this stage my application is on a remote server with IP address http://XX.XXX.XXX.XXX:3000/ and on thawte.com when generating the trial SSL it shows me the error:

   The Common Name in the CSR is invalid.

Has anyone had a similar task and can advise me what I have done wrong?

Second question: What server can you recommend to me and accordingly what Web Platform (when generating SSL) I should choose in the list ?

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
Denys Medynskyi
  • 113
  • 1
  • 5

3 Answers3

2

Common names do not contain port numbers or colons such as :3000. They should not be an IP address. They also do not contain protocol identifiers such as https://.

If memory serves me correctly, numbers on their own are not valid as a domain name (although they can be for subdomains) and there is no top-level domain that is just a number. Your common name of XX.XXX.XXX:3000 where X are numbers is not an IP address or a domain name.

The common name should be nothing but the fully qualified domain name that the certificate is to be used for.

You can use *.example.com for the common name if you are requesting a wildcard certificate.

If your app is running on port 3000, you should request your certificate normally, without the port number, and then tell the clients to use port 3000. If the client is a web browser, this is done in the URL: `https://www.example.com:3000/"

The choice of "Web Platform" is optional and allows Thawte to give you the files in the format required by that software. For instance, nginx requires that the certificate and any chain certificates are in the same file, in the right order. Apache can have them in separate files and import them both with SSLCertificateFile and SSLCertificateChainFile. If your website is running on a well-known HTTP server that's in the list, choose that software. If you wrote it yourself or it's custom software written for you and it isn't in the list, consult the manufacturers of the software.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • Thanks, can I use IP adress of my remote cloud server ? Should I put my application into real host ? – Denys Medynskyi Jul 27 '12 at 13:38
  • The "common name" *must* be a domain name. It can't be an IP address. It is possible to host SSL certificates in the cloud, a "real host" is not required, but a domain name is required. – Ladadadada Jul 27 '12 at 13:48
  • Can I set up domain name of remoted server and how to do it ? – Denys Medynskyi Jul 27 '12 at 13:50
  • To answer your questions in order: "Yes" and "That depends on your registrar, DNS provider, server software and server management tools." You should do them in order: buy a domain, point it at your server's IP address, buy the certificate for that domain, configure your web server to serve that domain with the SSL certificate. – Ladadadada Jul 27 '12 at 14:01
  • Just for testing, running your own DNS server or editing your `/etc/hosts` file is adequate. For hosting there is a free tier of Amazon EC2 and probably other cloud providers. VPSs can be had for approximately 1 latte per month. Or you could just host it on your own machine or a VM in your own machine. It's only once you want *other* people to use it that it gets difficult and/or expensive. – Ladadadada Jul 27 '12 at 14:18
1

Common name was in format : XX.XXX.XXX:3000, where X is number

Firstly, the host name or IP address in the certificate mustn't include the port.

Secondly, assuming XX.XXX.XXX is an IP address, IP addresses must be in a Subject Alternative Name entry of IP address type (not DNS type, and not in the Subject DN's CN). See RFC 2818:

In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.

Some clients are more relaxed about this, but that's no reason to get a non-compliant certificate.

I'm not sure Thawte will issue you a certificate for an IP address anyway, since it's quite difficult for them to check who the IP address belongs to.

(I'm a bit surprised that they even bother looking at the CN, since all they really need is to grab the public key from the CA, and issue a cert with only whatever they've independently validated, anyway.)

Community
  • 1
Bruno
  • 4,099
  • 1
  • 21
  • 37
  • Bruno, I tried to enter alternative name as my IP, but it said, that I need to enter Common name(domain name). What should I enter there ? – Denys Medynskyi Jul 30 '12 at 07:36
  • You might as well enter your IP address in the CN too. It's the CN that's used in most GUI interfaces to manage your certificates, so it will help. It should also help for non-compliant clients. – Bruno Jul 30 '12 at 09:43
  • I can't get SSL certificate only because of Common name. In creation form error - Your Common Name may not be an Internet-accessible IP Address! So I should get domainname somewhere. – Denys Medynskyi Jul 30 '12 at 10:10
  • That sounds like a limitation in the tool you're using to create the certificate more than an actual certificate format limitation (in principle, some host names might not be Internet-accessible either). To be honest, I was just answering this question like this because your problem was about IP addresses, but you should use a host name if you can. There a general problem with using IP addresses, as mentioned in the ["Out of scope" section of RFC 6125](http://tools.ietf.org/html/rfc6125#section-1.7.2). – Bruno Jul 30 '12 at 10:19
  • Do you know site with free domain names on which I can use easily and fast ? – Denys Medynskyi Jul 30 '12 at 10:24
  • I'm not sure of any registrar that can provide you a domain name for free (especially if you want it to be yours ultimately and not theirs), but there are some fairly cheap ones (it's worth checking that they don't have hidden fees). – Bruno Jul 30 '12 at 10:36
0

The Common Name field should be the Fully Qualified Domain Name (FQDN) or the Web address for which you plan to use your Certificate, e.g. the area of your site you wish customers to connect to using SSL. If the Web address to be used for SSL is www.example-name.com, ensure that the common name submitted in the CSR is www.example-name.com; similarly, if the Web address to be used for SSL is secure.example-name.com, ensure that the common name submitted in the CSR is secure.example-name.com.

Chakri
  • 1,070
  • 6
  • 8