Unified Communications Certificate (SANS UCC Certificate): Difference between revisions
(What is a SAN UCC certificate?) |
No edit summary |
||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Unified Communications Certificate == | |||
'''[1].''' '''Unified Communications Certificate.''' | |||
A Unified Communications Certificate ('''UCC''') is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and additional Subject Alternative Names* (SANs) in a single certificate. | |||
For example, with a UCC certificate you can secure: | For example, with a UCC certificate you can secure: | ||
Line 13: | Line 17: | ||
'''[2].''' '''Wildcard certificate.''' | |||
The difference between UCC and Wildcard certificate is that a wildcard certificate can protect all first-level sub-domains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.org. | |||
'''[3].''' '''How to check the Subject Alternative Names.''' | |||
During the creation of a csr, we specify the names of the servers we would like this certificate to protect: | |||
<pre style="color: green"># /opt/zimbra/bin/zmcertmgr createcsr comm -new -subjectAltNames "one.example.com,two.example.com"</pre> | |||
The protected servers can be viewed using an openssl command: | |||
<pre style="color: green"># openssl req -text -noout -in /opt/zimbra/ssl/zimbra/server/server.csr</pre> | |||
Certificate Request: | |||
Certificate Request: | |||
Data: | Data: | ||
Version: 0 (0x0) | Version: 0 (0x0) | ||
Subject: C=US, ST=N/A, L=N/A, O=Zimbra Collaboration Server, OU=Zimbra Collaboration Server, CN=one.example.com | Subject: C=US, ST=N/A, L=N/A, O=Zimbra Collaboration Server, OU=Zimbra Collaboration Server, CN=one.example.com | ||
Subject Public Key Info: | Subject Public Key Info: | ||
Public Key Algorithm: rsaEncryption | Public Key Algorithm: rsaEncryption | ||
Line 46: | Line 53: | ||
X509v3 Key Usage: | X509v3 Key Usage: | ||
Digital Signature, Non Repudiation, Key Encipherment | Digital Signature, Non Repudiation, Key Encipherment | ||
X509v3 Subject Alternative Name: | X509v3 '''Subject Alternative Name''': | ||
'''DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com''' | '''DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com''' | ||
Signature Algorithm: sha256WithRSAEncryption | Signature Algorithm: sha256WithRSAEncryption | ||
Line 55: | Line 62: | ||
''SAN'': Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate. | |||
''' | '''[4].''' '''Additional information''' about certificates can be found here: https://wiki.zimbra.com/wiki/SSL_Certificates |
Latest revision as of 17:09, 27 January 2015
Unified Communications Certificate
[1]. Unified Communications Certificate.
A Unified Communications Certificate (UCC) is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and additional Subject Alternative Names* (SANs) in a single certificate.
For example, with a UCC certificate you can secure:
- www.example.com
- www.example1.com
- www.example2.net
- mail.example.net
[2]. Wildcard certificate.
The difference between UCC and Wildcard certificate is that a wildcard certificate can protect all first-level sub-domains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.org.
[3]. How to check the Subject Alternative Names.
During the creation of a csr, we specify the names of the servers we would like this certificate to protect:
# /opt/zimbra/bin/zmcertmgr createcsr comm -new -subjectAltNames "one.example.com,two.example.com"
The protected servers can be viewed using an openssl command:
# openssl req -text -noout -in /opt/zimbra/ssl/zimbra/server/server.csr
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=N/A, L=N/A, O=Zimbra Collaboration Server, OU=Zimbra Collaboration Server, CN=one.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b3:f2:3c:41:3e:a6:89:34:b4:84:3f:1b:79:7f: 0c:10:c7:c1:29:4d:ab:fa:86:db:f8:7f:c5:3c:75: 1c:be:7b:3b:ea:2d:ab:58:6f:56:31:71:7d:6f:b0: e1:0a:23:5a:1c:ee:e6:56:5f:4f:68:9b:bc:54:20: 80:81:1c:9d:82:7a:fa:5c:2e:3b:bb:ca:42:5d:c3: Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com Signature Algorithm: sha256WithRSAEncryption af:b4:91:8b:e5:6e:16:bd:df:ef:cc:5d:85:69:5b:dd:d2:18: 17:59:17:c7:e6:55:36:cf:2a:8c:8b:ba:2e:20:ac:c7:25:2a: 6c:b0:66:30:6f:96:ac:80:07:96:ef:6d:0c:b8:88:ab:10:50: 93:8a:a8:89:44:04:0c:78:29:93:68:cd:d2:b7:cc:b9:7f:fb:
SAN: Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
[4]. Additional information about certificates can be found here: https://wiki.zimbra.com/wiki/SSL_Certificates