getting a godaddy cert using certtool

[Simon Josefsson]

There has been some questions about getting certificates from commercial
CAs using GnuTLS tools.  I just bought a cert from godaddy and it worked
fine.  I was using certtool and thought I'd share the steps I used.  I
used GnuTLS 2.8.5 as packaged in Debian.

$ certtool -p --outfile api2.yubico.com-key.pem
Generating a 2048 bit RSA private key...
$
$ certtool --generate-request --load-privkey api2.yubico.com-key.pem 
Generating a PKCS #10 certificate request...
Country name (2 chars): SE
Organization name: Yubico AB
Organizational unit name: 
Locality name: 
State or province name: 
Common name: api2.yubico.com
UID: 
Enter a dnsName of the subject of the certificate: api2.yubico.com
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 74.207.251.59
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N): n
Is this also a TLS web server certificate? (y/N): y
PKCS #10 Certificate Request Information:
...

I cut'n'pasted the CSR printed in '...' above to Godaddy, and verified
the domain ownership through their e-mail ping, and I was then able to
download a ZIP file containing the certificate.

There are some things I note in the certificate I got though:

		Key Purpose (not critical):
			TLS WWW Server.
			TLS WWW Client.

This is even though I didn't ask for a WWW client cert!

		Key Usage (critical):
			Digital signature.
			Key encipherment.

This seems right.

		Subject Alternative Name (not critical):
			DNSname: api2.yubico.com
			DNSname: www.api2.yubico.com

They added a 'www.api2.yubico.com' name although I didn't ask for it.

Note that they dropped the IP address SAN that I supplied.

/Simon