There is no identifying organizational information for these certificates and thus should never be used for commercial purposes.
It is the cheapest type of certificate to get.
This is the certificate used for public website.
The full qualified domain name (DNS name) should match one of the following certificate property:
- the Common Name
Domain-validated certificates are based on proof of ownership of a domain, and is driven by a protocol called ACME
Note that the Visitors to a website with Domain Validated (DV) certificates cannot validate, via the certificate, if the business on the site is legitimate.
The ownership of a domain is checked via a challenge:
- or hosting a file somewhere on a random path on the web site.
The maximum lifetime is 825 days (roughly 27 months) 3)
Example (when the certificate is open with portecle)
- match the CN
- match via the Subject Alternative Name
This is an example of domain validated server certificate creation with openssl
The server.ini configuration file below set:
- the keyUsage that goes with a serverAuth.
- the CN of the server (ie req_distinguished_name)
- explicitly that this is not a CA certificate with the basicConstraints
- the subject alternative name with a DNS name via the subjectAltName property that should match the DNS of the web server
[ req ] # Options for the `req` tool: PKCS#10 certificate request and certificate generating utility. (`man req`) distinguished_name = req_distinguished_name # does not prompt for dn fields prompt = no # Default md (message digest to use for the hash/fingerprint) # option: SHA-1 is deprecated, so use SHA-2 family instead # TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm # https://support.apple.com/en-us/HT210176 default_md = sha256 [ req_distinguished_name ] # CN used to create the CA server C = Country O = Organisation CN = ServerName or DNS name [ server_extensions ] # List of extensions to add to certificate generated # A CA certificate must contains: CA: true basicConstraints = critical, CA:false # Key Usage keyUsage = critical, digitalSignature, keyAgreement, keyEncipherment # Used for server auth extendedKeyUsage=serverAuth # as seen https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html under v3_ca example subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always subjectAltName=DNS:example.com,DNS:*.example.com
Then the OpenSSL command:
openssl req \ -new `# Ask a certificate signing request`\ -keyout server_private_key.pem `# The private key output (created if the key option is not given)` \ -nodes `#don't encrypt the created private key` \ -out server_csr.pem `# The certificate signing request (CSR) file ` \ -config server.ini
- Signing of the request with a CA certificate
openssl \ x509 `# output a certificate` \ -req `#input is a certificate request, sign and output` \ -days 365 `#How long till expiry of a signed certificate ` \ -in server_csr.pem \ -out server_certificate.pem \ -CA ca_certificate.pem \ -CAkey ca_private_key.pem \ -set_serial 0x"$(openssl rand -hex 16)" `# large random unique identifier for the certificate. ` \ -extensions server_extensions \ -extfile server.ini