When Submitting CSRs and getting certs from providers like SSL.com. You are allowed to use the hostname in a DNS element within a SAN. Below is a snippet of one of my SSL.com certs but CertWarden only allows fqdn's. This breaks certs when people use hostname URI requests within networks/organizations. Would you please review and also allow valid hostnames that follow the 2.1 hosts section of RFC1123 which also includes hostnames that start with a number such as 1name.example.com and 1name. Below the snippet from one of my certs I have also included referenced RFC's and also work oracle did in java.security.cert
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mystore, DNS:mystore.example.com, IP Address:192.168.0.1
The main RFC is in5280 but the allowance for just the hostname is in 2.1 of RFC 1123. Here are both:
RFC1123:
2.1 Host Names and Numbers
The syntax of a legal Internet host name was specified in RFC-952
[DNS:4]. One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support this more liberal
syntax.
Host software MUST handle host names of up to 63 characters and
SHOULD handle host names of up to 255 characters.
Whenever a user inputs the identity of an Internet host, it SHOULD
be possible to enter either (1) a host domain name or (2) an IP
address in dotted-decimal ("#.#.#.#") form. The host SHOULD check
the string syntactically for a dotted-decimal number before
looking it up in the Domain Name System.
DISCUSSION:
This last requirement is not intended to specify the complete
syntactic form for entering a dotted-decimal host number;
that is considered to be a user-interface issue. For
example, a dotted-decimal number must be enclosed within
"[ ]" brackets for SMTP mail (see Section 5.2.17). This
notation could be made universal within a host system,
simplifying the syntactic checking for a dotted-decimal
number.
If a dotted-decimal number can be entered without such
identifying delimiters, then a full syntactic check must be
made, because a segment of a host domain name is now allowed
to begin with a digit and could legally be entirely numeric
(see Section 6.1.2.4). However, a valid host name can never
have the dotted-decimal form #.#.#.#, since at least the
highest-level component label will be alphabetic.
RFC 5280:
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123]. Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case. In
addition, while the string " " is a legal domain name, subjectAltName
extensions with a dNSName of " " MUST NOT be used. Finally, the use
of the DNS representation for Internet mail addresses
(subscriber.example.com instead of subscriber@example.com) MUST NOT
be used; such identities are to be encoded as rfc822Name. Rules for
encoding internationalized domain names are specified in Section 7.2.
Here is oracle doing just such work for java.security.cert.X509CertSelector.addSubjectAlternativeName(..) methods
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8214270#:~:text=The%20java.security.cert.X509CertSelector.addSubjectAlternativeName%28..%29%20methods%20and%20the%20JDK%20keytool%20binary,to%20allow%20DNSNames%20to%20begin%20with%20a%20digit.
Regards,
durken
