OpenSSL and IDN Certificates

As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps:

Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE).
The resulting converted text will be a fairly long string that starts with “xn--”. Copy the entire thing.
Now run this command.

For CSR generation¹:

openssl req -new -nodes -out mycsr.csr -keyout mykey.pem -newkey rsa:2048

For self-signed certificate generation²:

openssl req -new -nodes -x509 -days 3650 -out mycert.cer -keyout mykey.pem -newkey rsa:2048

Either way, follow the prompts and when you reach Common Name paste the text you copied from the punycode converter. Now you can submit your CSR to a certification authority or install the self-signed certificate for testing.

We are generating a 2048-bit CSR ↩
This will generate a 10 year self-signed certificate. ↩

idn, openssl

Print article

This entry was posted by Paul Kehrer on January 3, 2010 at 12:34 pm, and is filed under Posts. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

Parsing A CRL With OpenSSL

about 1 month ago - No comments

Short and sweet. This command will give you a list of revoked serial numbers:

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. More >

Find A Matching Certificate And Key Pair

about 4 months ago - No comments

If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1

#!/bin/bash
for i in `ls *.key`
do
key_mod=`openssl rsa -noout -in $i -modulus`
for j in `ls *.cer`
do
x509_mod=`openssl x509 -noout -in More >

Create A 2048-bit Key Via OpenSSL

about 4 months ago - No comments

We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate):

openssl req -new -nodes -newkey rsa:2048 -keyout More >

Check If A Certificate & Private Key Match

about 5 months ago - 1 comment

Check if an SSL certificate and private key match in two simple commands. The OpenSSL commands below will require you to replace <file> with your file’s name.
For your SSL certificate:1

openssl x509 -noout -modulus -in <file> | md5sum

For your RSA private key:

openssl rsa -noout -modulus -in <file> | md5sum

The output of these commands should be More >

Using OpenSSL s_time

about 11 months ago - No comments

Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead.
To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, More >

RSA Encryption and Signing

about 11 months ago - 1 comment

OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or More >

Creating a PKCS7 (P7B) Using OpenSSL

about 11 months ago - No comments

Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. More >

Checking A Remote Certificate Chain With OpenSSL

about 12 months ago - 1 comment

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1
First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates More >

Re-Signing An Expired CA Certificate

about 1 year ago - No comments

On rare occasions you may find yourself with a self-signed internal CA that has expired while you are still using certificates issued from the CA. One potential solution to this problem is to self-sign a new cert with identical fields using the private key from the old certificate.1
You can fill in almost all the More >

OpenSSL SAN/UCC Certificate Generation

about 1 year ago - 1 comment

Signing a CSR containing subjectAltName (SAN/UCC) extensions isn’t hard, but can be a daunting challenge for the OpenSSL neophyte. We’re going to use the OpenSSL Self-Signed CA to accomplish this task in two ways.
Pre-Existing SAN CSR
Either you already have a SAN CSR from another source or you generated one using the tutorial from yesterday. More >