Last updated: 
2 weeks 2 days ago
Group Manager
Welcome to the Jisc Certificate Service group. For an update on the NEW Jisc certificate service please follow the below link. The New Jisc Certiface Service  The service offers a number of different X509 SSL certificates, including Extended Validation certificates that give users the highest possible assurance, as well as S/MIME email certificates for digitally signing emails. Jisc has an agreement with the Certificate Authority, QuoVadis who is the provider of the certificates. The service has been running since 2006 and has issued many thousands of certificates to organisations in UK research and education. This is a Community group where users can obtain relevant information, receive service updates and provide feedback.

Underscore characters in dnsNames for SSL Certificates

14 November 2018 at 4:26pm

The use of underscore characters in dnsNames is not allowed in Internet standards but has historically been treated as a gray area when used in the SAN field of TLS/SSL certificates.  Most CAs are disallowing this issuance following discussion in the CA/Browser Forum.

We have  previously issued browser-trusted TLS/SSL certificates that include dnsNames with underscore characters in the SAN fields.

We  will cease this practice on January 25, 2019.  Customers will no longer be able to renew certificates, nor to request new TLS/SSL certificates that include dnsNames with underscore characters, after this date.

We apologise for the inconvenience and suggest that you begin transition to domains that do not use underscore characters. 

Please contact us on certificates@jisc.ac.uk if you have any further questions.

 

Comments

Underscores was one of the first things I banned (for the UK e-Science CA). Back in the early noughties a university had creatively asked for O=University_of_Place in the DN which bizarrely (and totally incorrectly) got encoded as IA5String by the software (as opposed to printableString). Although the alternative name is encoded as IA5String, we also have the hostname in the CN to support older software (cf RFC 2818, section 3.1), which, until UTF8 came along, had to be printableString or you were asking for trouble...

See also GFD.225 for a long list of experiences learned the hard way. http://www.ogf.org/documents/GFD.225.pdf