Certificate request has been altered by CA company to localauthority.sch.uk

Hi,

I have requested a ssl cert using
CN = vpn.(school).(LA).sch.uk

I have just had an email to say they are processing

Domain name = (LA).sch.uk
Server Name = vpn.(school).(LA).sch.uk

Should I be concerned?

I see no difference

Sorry, I have been finding this very confusing as our LA control the firewall / ports and DNS.

So have they got the domain name correct then? LocalAuthority.sch.uk

Yes, localauthority.sch.uk is the domain, the other parts are subdomains. So the details they've given are correct.

school.region.sch.uk is the domain ... vpn.school.region.sch.uk is the Fully Qualified Domain Name.

region.sch.uk is not the domain (though the CA is treating it as such). A domain is the entirety of what is registered via a Domain Registrar. Some vendors have had a tendency to take the cTLD and treat the next zone as the domain, despite very clear instructions.

Yes. Phone them up because some cert and hosting providers really don't grasp how the school.region.sch.uk breaks down.

Our certs (for example) are of the whatever.school.region.sch.uk format (i.e moodle, webmail etc) and it did take a bit of "ok, repeat that back to me to ensure you understand it" and a couple of nominet links before it clicked.

Quote:

---

Originally Posted by GrumbleDook

school.region.sch.uk is the domain ... vpn.school.region.sch.uk is the Fully Qualified Domain Name.

region.sch.uk is not the domain (though the CA is treating it as such). A domain is the entirety of what is registered via a Domain Registrar. Some vendors have had a tendency to take the cTLD and treat the next zone as the domain, despite very clear instructions.

---

That's not how the standard was defined, that's why... The standard was supposed to be .com was a tld, a .co.uk was a cctld and then anything else was a domain on one of those. That was according to RFC 1480 and RFC 1591. So, its understandable that registrars don't understand it really!

Quote:

---

Originally Posted by localzuk

That's not how the standard was defined, that's why... The standard was supposed to be .com was a tld, a .co.uk was a cctld and then anything else was a domain on one of those. That was according to RFC 1480 and RFC 1591. So, its understandable that registrars don't understand it really!

---

To clarify ... *everything* is a domain. TLD means Top Level Domain and it is controlled / managed by given organisations. .uk TLDs (.sch.uk, .me.uk, .org.uk) are dealt with by Nominet (some are delegated such as .police.uk and .gov.uk) and are not a true ccTLD (one of the reasons why I've always been told to refer to it as a cTLD instead) as they are an exception to ISO 3166. The next zone to the left of the TLD is the Second Level Domain. For .sch.uk this is a hierarchical zone to regionalise domains and so they are not used to register a domain (I believe that there are a few historic examples due to previous conversations with nominet but never been told what they are). The Third Level Domain is that which is registered via a Registrar and is considered as the 'domain'.

The changes since RFCs 1480 and 1591 were written have been prodded and poked a number of times but perhaps RFC 3071 is an interesting one for folk to read to try to understand how things change, whether through gradual change due to need or simply due to change because that is how things ended up happening.

Thanks for all the info. Just to double check I should contact the CA and get them to use school.region.sch.uk?

Quote:

---

Originally Posted by edutech4schools

Thanks for all the info. Just to double check I should contact the CA and get them to use school.region.sch.uk?

---

Its fine. As per post 4.

but in post 5

Quote:

---

school.region.sch.uk is the domain ... vpn.school.region.sch.uk is the Fully Qualified Domain Name.
region.sch.uk is not the domain

---

So based on the above info I need school.region.sch.uk and not simply region.sch.uk

and in post 6

Quote:

---

Yes. Phone them up because some cert and hosting providers really don't grasp how the school.region.sch.uk breaks down.

---

I seem to be getting conflicting help. No wonder so many people get confused.

So who is correct?

Post 4 is correct

Type your full domain name into WHOIS Search, Domain Name, Website, and IP Tools - Who.is for example school.lea.sch.uk. Right at the top you will see it display as lea.sch.uk this is because the school name is a sub domain of .lea.sch.uk.

Odd. When I use your link it comes back with invalid domain name but if I use this WHOIS tool | Nominet is comes back and tells me the domain is school.region.sch.uk and not region.sch.uk.

can I pm you our school info?

school.lea.sch.uk is your domain. lea.sch.uk is invalid.

Quote:

---

This domain cannot be registered because it contravenes the Nominet UK
naming rules. The reason is:
invalid format for a .sch.uk domain name.

---

I have the bi-annual chore of making our CA understand that lea.sch.uk does not exist.

Bottom line, yes you should be concerned.

Quote:

---

Originally Posted by FN-GM

Post 4 is correct

Type your full domain name into WHOIS Search, Domain Name, Website, and IP Tools - Who.is for example school.lea.sch.uk. Right at the top you will see it display as lea.sch.uk this is because the school name is a sub domain of .lea.sch.uk.

---

Maybe your LEA/RBC has contacted nominet and done things differently, it certainly isn't that way for us and by nominets help pages lea.sch.uk is an invalid format.

*Do Not Accept .region.sch.uk*

To have a valid certificate you should own / manage / control the domain being used. You do not control .region.sch.uk ... no-one does (except Nominet). Your CA should be validating the ownership of the domain prior to the issuing of the certificate and if you let them proceed it can take flaming ages to get them to realise the mistake they are making. As with @j17sparky ... the voice of bitter experience of having to help out schools over the last 5 years!