picture of tbs certificates
picture of tbs certificates
Our products range

Accented domain names (FQDN / SANs)

Using Punycode

Punycode is intended for the encoding of labels in the Internationalized Domain Names in Applications (IDNA) framework. It encodes a string of Unicode characters into a uniquely and reversibly restricted character set.

Example: The domain "accenté" becomes "" (xn-- indicates an internationalized domain).

Encoding a domain into punycode

We recommand several solutions to encode your accented domains into punycode:

Other solution: Activate l'UTF8 on OpenSSL

You can also generate a CSR with a UTF8 encoding.

To activate UTF8 with OpenSSL tools, update the default OpenSSL configuration file: openssl.cnf

In this file: affect the string_mask = utf8only variable of the [req] section. Example:

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
#string_mask = nombstr
string_mask = utf8only

Then, re-execute the OpenSSL command, the CSR will be generated in UTF8.
For example:

openssl req -new -newkey rsa:2048 -nodes -out \
-keyout \
-subj "/C=FR/ST=Calvados/L=Caen/O=TBS-INTERNET/CN=*"

To see the CSR details and check its encoding, use the following command:

openssl req -text -noout -in  -nameopt sep_multiline,utf8,show_type