Unified Communications Certificate (SANS UCC Certificate)

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Unified Communications Certificate

[1]. Unified Communications Certificate.

A Unified Communications Certificate (UCC) is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and additional Subject Alternative Names* (SANs) in a single certificate.

For example, with a UCC certificate you can secure:

  • www.example.com
  • www.example1.com
  • www.example2.net
  • mail.example.net


[2]. Wildcard certificate.

The difference between UCC and Wildcard certificate is that a wildcard certificate can protect all first-level sub-domains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.org.


[3]. How to check the Subject Alternative Names.

During the creation of a csr, we specify the names of the servers we would like this certificate to protect: 

# /opt/zimbra/bin/zmcertmgr createcsr self -new -subjectAltNames "one.example.com,two.example.com"

The protected servers can be viewed using an openssl command: 

# openssl req -text -noout -in  /opt/zimbra/ssl/zimbra/server/server.csr

Certificate Request: 

   Data:
       Version: 0 (0x0)
       Subject: C=US, ST=N/A, L=N/A, O=Zimbra Collaboration Server, OU=Zimbra Collaboration Server, CN=one.example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:b3:f2:3c:41:3e:a6:89:34:b4:84:3f:1b:79:7f:
                   0c:10:c7:c1:29:4d:ab:fa:86:db:f8:7f:c5:3c:75:
                   1c:be:7b:3b:ea:2d:ab:58:6f:56:31:71:7d:6f:b0:
                   e1:0a:23:5a:1c:ee:e6:56:5f:4f:68:9b:bc:54:20:
                   80:81:1c:9d:82:7a:fa:5c:2e:3b:bb:ca:42:5d:c3:
             
               Exponent: 65537 (0x10001)
       Attributes:
       Requested Extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Subject Alternative Name:
               DNS:one.domain.com, DNS:one.example.com, DNS:two.example.com
   Signature Algorithm: sha256WithRSAEncryption
        af:b4:91:8b:e5:6e:16:bd:df:ef:cc:5d:85:69:5b:dd:d2:18:
        17:59:17:c7:e6:55:36:cf:2a:8c:8b:ba:2e:20:ac:c7:25:2a:
        6c:b0:66:30:6f:96:ac:80:07:96:ef:6d:0c:b8:88:ab:10:50:
        93:8a:a8:89:44:04:0c:78:29:93:68:cd:d2:b7:cc:b9:7f:fb:


SAN: Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.


[4]. Additional information about certificates can be found here: https://wiki.zimbra.com/wiki/SSL_Certificates

Retrieved from "http://wiki.zimbra.com/index.php?title=Unified_Communications_Certificate_(SANS_UCC_Certificate)&oldid=56543"
Jump to: navigation, search