Unified Communications Certificate (SANS UCC Certificate): Difference between revisions

(What is a SAN UCC certificate?)
 
No edit summary
Line 2: Line 2:
----
----


-- 1. A Unified Communications Certificate ('''UCC''') is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and additional Subject Alternative Names* (SANs) in a single certificate.  
[1]. '''UCC'''
A Unified Communications Certificate ('''UCC''') is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and additional Subject Alternative Names* (SANs) in a single certificate.  


For example, with a UCC certificate you can secure:
For example, with a UCC certificate you can secure:
Line 13: Line 14:




-- 2. The difference between UCC and Wildcard certificate is that a wildcard certificate can protect all first-level sub-domains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.org.
[2]. '''Wildcard certificate'''
The difference between UCC and Wildcard certificate is that a wildcard certificate can protect all first-level sub-domains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.org.




-- 3. How to check the Subject Alternative Names:  
[3]. How to check the Subject Alternative Names:  


When we create a csr, we specify the names of the servers we would like this certificate to cover:  
During the creation of a csr, we specify the names of the servers we would like this certificate to protect:


# /opt/zimbra/bin/zmcertmgr createcsr self -new -subjectAltNames "one.example.com,two.example.com"
# /opt/zimbra/bin/zmcertmgr createcsr self -new -subjectAltNames "one.example.com,two.example.com"


Using an openssl command, we can see the names listed there:  
The protected servers can be viewed using an openssl command:


# openssl req -text -noout -in  /opt/zimbra/ssl/zimbra/server/server.csr
# openssl req -text -noout -in  /opt/zimbra/ssl/zimbra/server/server.csr
Line 46: Line 48:
             X509v3 Key Usage:
             X509v3 Key Usage:
                 Digital Signature, Non Repudiation, Key Encipherment
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Alternative Name:
             X509v3 '''Subject Alternative Name''':
                 '''DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com'''
                 '''DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com'''
     Signature Algorithm: sha256WithRSAEncryption
     Signature Algorithm: sha256WithRSAEncryption
Line 55: Line 57:




If in doubt, the above example will hep you check the csr and possibly give you a hint.


'''SAN''': Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
'''SAN''': Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.

Revision as of 09:25, 18 December 2014

Unified Communications Certificate


[1]. UCC A Unified Communications Certificate (UCC) is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and additional Subject Alternative Names* (SANs) in a single certificate.

For example, with a UCC certificate you can secure:

  • www.example.com
  • www.example1.com
  • www.example2.net
  • mail.example.net


[2]. Wildcard certificate The difference between UCC and Wildcard certificate is that a wildcard certificate can protect all first-level sub-domains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.org.


[3]. How to check the Subject Alternative Names:

During the creation of a csr, we specify the names of the servers we would like this certificate to protect:

  1. /opt/zimbra/bin/zmcertmgr createcsr self -new -subjectAltNames "one.example.com,two.example.com"

The protected servers can be viewed using an openssl command:

  1. openssl req -text -noout -in /opt/zimbra/ssl/zimbra/server/server.csr

Certificate Request:

   Data:
       Version: 0 (0x0)
       Subject: C=US, ST=N/A, L=N/A, O=Zimbra Collaboration Server, OU=Zimbra Collaboration Server, CN=one.example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:b3:f2:3c:41:3e:a6:89:34:b4:84:3f:1b:79:7f:
                   0c:10:c7:c1:29:4d:ab:fa:86:db:f8:7f:c5:3c:75:
                   1c:be:7b:3b:ea:2d:ab:58:6f:56:31:71:7d:6f:b0:
                   e1:0a:23:5a:1c:ee:e6:56:5f:4f:68:9b:bc:54:20:
                   80:81:1c:9d:82:7a:fa:5c:2e:3b:bb:ca:42:5d:c3:
             
               Exponent: 65537 (0x10001)
       Attributes:
       Requested Extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Subject Alternative Name:
               DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com
   Signature Algorithm: sha256WithRSAEncryption
        af:b4:91:8b:e5:6e:16:bd:df:ef:cc:5d:85:69:5b:dd:d2:18:
        17:59:17:c7:e6:55:36:cf:2a:8c:8b:ba:2e:20:ac:c7:25:2a:
        6c:b0:66:30:6f:96:ac:80:07:96:ef:6d:0c:b8:88:ab:10:50:
        93:8a:a8:89:44:04:0c:78:29:93:68:cd:d2:b7:cc:b9:7f:fb:



SAN: Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.

Jump to: navigation, search