Accented domain names (FQDN / SANs)

Using Punycode

Punycode is intended for the encoding of labels in the Internationalized Domain Names in Applications (IDNA) framework. It encodes a string of Unicode characters into a uniquely and reversibly restricted character set.

Example: The domain "accentéd-domain.com" becomes "xn--accentd-domain-gkb.com" (xn-- indicates an internationalized domain).

Encoding a domain into punycode

We recommand several solutions to encode your accented domains into punycode:

• CSR creation assistant tool: if your domain contains an accented character, our wizard automatically provides a CN in punycode format
• Encode your CN via this website: http://www.freesitemapgenerator.com/idn-to-punycode.html

Other solution: Activate l'UTF8 on OpenSSL

You can also generate a CSR with a UTF8 encoding.

To activate UTF8 with OpenSSL tools, update the default OpenSSL configuration file: openssl.cnf

In this file: affect the string_mask = utf8only variable of the [req] section. Example:

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
#string_mask = nombstr
string_mask = utf8only

Then, re-execute the OpenSSL command, the CSR will be generated in UTF8.
For example:

openssl req -new -newkey rsa:2048 -nodes -out wild.accented-domain.com.csr \
-keyout wild.accented-domain.com.key \
-subj "/C=FR/ST=Calvados/L=Caen/O=TBS-INTERNET/CN=*.accented-domain.com"

To see the CSR details and check its encoding, use the following command:

openssl req -text -noout -in wild.accented-domain.com.csr  -nameopt sep_multiline,utf8,show_type