UCC Certificates?
469 views
Skip to first unread message
Daniel Flippance
Dec 26, 2014, 5:06:28 AM12/26/14
to ca-...@letsencrypt.org
Hi there,
Very excited about the upcoming Let's Encrypt initiative. Does anyone know if UCC Certificates will be supported in the first version in summer 2015?
Thanks,
Daniel
Richard Barnes
Dec 26, 2014, 11:42:24 AM12/26/14
to Daniel Flippance, ca-...@letsencrypt.org
Hi Daniel,
If I understand you correctly, "UCC" means "certificate with multiple SANs" [1]. Is that right?
If so, I think the answer to your question is "yes", or at least "the technical capability should be there". You would do a validation transaction to bind each SAN to an account key. Then you can send a request for a certificate containing any combination of names that you've validated.
I'm pretty sure you can do this with our draft code [2], by doing two new-authorization transactions, then a new-certificate transaction with a multi-SAN CSR. Feel free to give it a try, and let me know if it doesn't work for any reason.
--Richard
To unsubscribe from this group and stop receiving emails from it, send an email to ca-dev+un...@letsencrypt.org.
Melvin Carvalho
Dec 26, 2014, 4:12:41 PM12/26/14
to Richard Barnes, Daniel Flippance, ca-...@letsencrypt.org
On 26 December 2014 at 17:42, Richard Barnes <r...@ipv.sx> wrote:
Hi Daniel,If I understand you correctly, "UCC" means "certificate with multiple SANs" [1]. Is that right?If so, I think the answer to your question is "yes", or at least "the technical capability should be there". You would do a validation transaction to bind each SAN to an account key. Then you can send a request for a certificate containing any combination of names that you've validated.I'm pretty sure you can do this with our draft code [2], by doing two new-authorization transactions, then a new-certificate transaction with a multi-SAN CSR. Feel free to give it a try, and let me know if it doesn't work for any reason.
This is an awesome feature. Thank you!!!
sanjee...@redlands.edu
Mar 16, 2015, 2:02:42 PM3/16/15
to ca-...@letsencrypt.org, r...@ipv.sx, danielf...@gmail.com
This functionality could also be very useful for academic libraries. Many libraries use a UCC or SAN certificate to secure their proxy server, which authenticates users to allow them to use the library's subscription databases from off campus. The certificate has to include their proxy server's domain (e.g. library.university.edu) as well as the domains of any databases utilizing a secure connection (e.g. database1.com.library.university.edu, database2.com.library.university.edu, etc.) Purchasing a UCC or SAN certificate is quite costly for libraries, so we usually only do it once a year and there is no way to add additional domains the rest of the year. I am just learning about the Let's Encrypt project, but it sounds like this could be a better way for libraries to handle this common situation.
Regards,
Sanjeet Mann
Electronic Resources Librarian
University of Redlands
http://library.redlands.edu
Regards,
Sanjeet Mann
Electronic Resources Librarian
University of Redlands
http://library.redlands.edu
bradb...@gmail.com
Jun 1, 2015, 6:14:51 PM6/1/15
to ca-...@letsencrypt.org
Hi Richard,
I'm in the middle of trying to generate a multi-SAN certificate. I begin by initiating two authorizationRequests for the domains in question, both of which are initially deferred "Validating identifier..." shortly before receiving authorization. I attempt to finish with a certificateRequest using a the CSR with both domains in the X509v3 Subject Alternative Name field. The certificate request response comes back with only the first of the two domains mentioned in both the Subject and the X509v3 Subject Alternative Name field.
Am I missing something in this process? Are multi-SAN certs still working, or am I barking up the wrong tree?
Richard Barnes
Jun 1, 2015, 6:30:40 PM6/1/15
to bradb...@gmail.com, ca-...@letsencrypt.org
Hey Brad,
Interesting. Are you running the most current version of Boulder?
According to our unit tests, what you're talking about should work, but I don't think we've done integration testing on the multi-SAN case. I'll do some experimentation and try to track this down. In the meantime, would you mind filing a Github issue with as much detail as possible?
Thanks,
--Richard
To unsubscribe from this group and stop receiving emails from it, send an email to ca-dev+un...@letsencrypt.org.
bradb...@gmail.com
Jun 1, 2015, 6:32:29 PM6/1/15
to ca-...@letsencrypt.org, bradb...@gmail.com
I'm making use of https://www.letsencrypt-demo.org/. Not sure if that's running the most current version or not. I'll file a ticket on github with the data I have.
Richard Barnes
Jun 1, 2015, 8:23:25 PM6/1/15
to bradb...@gmail.com, ca-...@letsencrypt.org
Ah, I think that might have been updated today. Maybe retry and see if it works any better?
Richard Barnes
Jun 1, 2015, 9:38:23 PM6/1/15
to Brad Beattie, ca-...@letsencrypt.org
I just added multi-domain support to the test.js client script that boulder uses for its integration testing.
With a local install of boulder, that works just fine to make a multi-domain / UCC cert. I haven't tested it against the public-facing instance, but if you've got a properly-situated server you can run on, you should be able to:
> go get github.com/letsencrypt/boulder
> cd $GOPATH/src/github.com/letsencrypt/boulder/test/js
> npm install
> node test.js --newReg "https://www.letsencrypt-demo.org/acme/new-reg"
dan...@trymarketspace.com
Jun 19, 2015, 7:50:09 PM6/19/15
to ca-...@letsencrypt.org, bradb...@gmail.com
Hi all,
I've recently discovered that it's technically possible to include a wildcard in a multi-domain certificate but that some certificate providers don't support it: https://info.ssl.com/faq-can-i-use-wildcard-domains-in-my-ucc-certificate/
Will the Let's Encrypt initiative support wildcards in multi-domain / UCC certs? For example: One SSL certificate that includes the following domains:
- *.mywebsite.com
- and possibly:
Thanks,
Daniel
Richard Barnes
Jun 21, 2015, 9:04:21 AM6/21/15
to dan...@trymarketspace.com, ca-...@letsencrypt.org, Brad Beattie
AFAIK, Let's Encrypt doesn't have any plans to support wildcard
certificates. Boulder certainly doesn't support them -- it will
reject a name with a "*" in it as invalid.
certificates. Boulder certainly doesn't support them -- it will
reject a name with a "*" in it as invalid.
Vincent Lynch
Jun 21, 2015, 10:06:59 AM6/21/15
to Richard Barnes, dan...@trymarketspace.com, ca-...@letsencrypt.org, Brad Beattie
I know that one of the Let's Encrypt developers (@bcrypt) has worked on adding Wildcard support to Boulder.
--
Vincent Lynch
I think you can find a bug report about it in Github. It may not be ready for the initial launch.
-Vince
--
Vincent Lynch
Charles A
Dec 29, 2015, 6:15:38 AM12/29/15
to Let's Encrypt CA Development, bradb...@gmail.com
I use godaddy with multiple domains and i used https://www.sslforfree.com/ to generate the ssl certs for my domains using the manual verification.
I had to use ftp to upload two file, one for sub domains to an accessible folder of the site root for the process to work.
The instructions are fairly well laid out. i just got three domains and one sub domain sorted out in 2 hrs.
Cheers,
Cheers,
Reply all
Reply to author
Forward
0 new messages