What format to use for CN and DNS fields in SSL certificate for IDN?

Question

What format to use for CN and DNS fields in SSL certificate for IDN?

If I was given an SSL certificate for an IDN domain, should I expect the value in the CN field to be a UTF-8 literal string for the domain name or with a punycode escaped version?

What about the X509v3 Subject Alternative Name DNS object records, will they be in the same format?

Can I see some examples of crt files or a link to IDNs that use SSL?

Is there a regulatory specification?

+5

ssl idn

kch May 29 '12 at 17:10

source share

1 answer

Bruno · Answer 1 · 2012-05-30T13:04:03+0000

Assuming you are talking about HTTPS, the rules traditionally used to verify hostnames are defined in RFC 2818, section 3.1 , to mention internationalized domain names in general.

" " RFC, RFC 6125, . IDN ( 6.4.2):

 If the DNS domain name portion of a reference identifier is an
 internationalized domain name, then an implementation MUST convert
 any U-labels [IDNA-DEFS] in the domain name to A-labels before
 checking the domain name.  In accordance with [IDNA-PROTO], A-labels
 MUST be compared as case-insensitive ASCII.  Each label MUST match in
 order for the domain names to be considered to match, except as
 supplemented by the rule about checking of wildcard labels
 (Section 6.4.3; but see also Section 7.2 regarding wildcards in
 internationalized domain names).

, . -, RFC 6125 , , . -, RFC 2818 (, , CN , ).

What format to use for CN and DNS fields in SSL certificate for IDN?

More articles: