Domain Validated Certificates (DV)

About

Domain Validated certificates are server signed certificates where the ownership of the domain was checked.

There is no identifying organizational information for these certificates and thus should never be used for commercial purposes.

It is the cheapest type of certificate to get.

This is the certificate used for public website.

The full qualified domain name (DNS name) should match one of the following certificate property:

Domain-validated certificates are based on proof of ownership of a domain, and is driven by a protocol called ACME

Security

Note that the Visitors to a website with Domain Validated (DV) certificates cannot validate, via the certificate, if the business on the site is legitimate.

Challenge

The ownership of a domain is checked via a challenge:

Lifetime

The maximum lifetime is 825 days (roughly 27 months) 3)

Example

Example (when the certificate is open with portecle)

  • match the CN

  • match via the Subject Alternative Name

Creation

This is an example of domain validated server certificate creation with openssl

The server.ini configuration file below set:

  • the extendedKeyUsage to serverAuth to advertise that a server certificate must be created
  • the keyUsage that goes with a serverAuth.
  • the CN of the server (ie req_distinguished_name)
  • explicitly that this is not a CA certificate with the basicConstraints
  • the subject alternative name with a DNS name via the subjectAltName property that should match the DNS of the web server
[ req ]
# Options for the `req` tool: PKCS#10 certificate request and certificate generating utility. (`man req`)
distinguished_name	= req_distinguished_name
# does not prompt for dn fields
prompt			= no

# Default md (message digest to use for the hash/fingerprint) 
# option: SHA-1 is deprecated, so use SHA-2 family instead
# TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm
# https://support.apple.com/en-us/HT210176
default_md          = sha256

[ req_distinguished_name ]
# CN used to create the CA server
C			= Country
O			= Organisation
CN			= ServerName or DNS name

[ server_extensions ]
# List of extensions to add to certificate generated 

# A CA certificate must contains: CA: true
basicConstraints = critical, CA:false

# Key Usage
keyUsage = critical, digitalSignature, keyAgreement, keyEncipherment
# Used for server auth
extendedKeyUsage=serverAuth

# as seen https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html under v3_ca example
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

subjectAltName=DNS:example.com,DNS:*.example.com

Then the OpenSSL command:

openssl req \
   -new `# Ask a certificate signing request`\
   -keyout server_private_key.pem `# The private key output (created if the key option is not given)` \
   -nodes `#don't encrypt the created private key` \
   -out server_csr.pem `# The certificate signing request (CSR) file ` \
   -config server.ini 
openssl \
     x509 `# output a certificate`  \
    -req `#input is a certificate request, sign and output` \
    -days 365 `#How long till expiry of a signed certificate ` \
    -in server_csr.pem \
    -out server_certificate.pem \
    -CA ca_certificate.pem \
    -CAkey ca_private_key.pem \
    -set_serial 0x"$(openssl rand -hex 16)"  `# large random unique identifier for the certificate. ` \
    -extensions server_extensions \
    -extfile server.ini

Powered by ComboStrap