Accented domain names (FQDN / SANs)
Using Punycode
Punycode is intended for the encoding of labels in the Internationalized Domain Names in Applications (IDNA) framework. It encodes a string of Unicode characters into a uniquely and reversibly restricted character set.
Example: The domain "accentéd-domain.com" becomes "xn--accentd-domain-gkb.com" (xn-- indicates an internationalized domain).
Encoding a domain into punycode
We recommand several solutions to encode your accented domains into punycode:
- CSR creation assistant tool: if your domain contains an accented character, our wizard automatically provides a CN in punycode format
- Encode your CN via this website: http://www.freesitemapgenerator.com/idn-to-punycode.html
Other solution: Activate l'UTF8 on OpenSSL
You can also generate a CSR with a UTF8 encoding.
To activate UTF8 with OpenSSL tools, update the default OpenSSL configuration file: openssl.cnf
In this file: affect the string_mask = utf8only variable of the [req] section. Example:
[ req ] default_bits = 2048 default_keyfile = privkey.pem # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! #string_mask = nombstr string_mask = utf8only
Then, re-execute the OpenSSL command, the CSR will be generated in UTF8.
For example:
openssl req -new -newkey rsa:2048 -nodes -out wild.accented-domain.com.csr \ -keyout wild.accented-domain.com.key \ -subj "/C=FR/ST=Calvados/L=Caen/O=TBS-INTERNET/CN=*.accented-domain.com"
To see the CSR details and check its encoding, use the following command:
openssl req -text -noout -in wild.accented-domain.com.csr -nameopt sep_multiline,utf8,show_type