Reputation: 869
Maximum number of SAN (subject alternative names) allowed
Is there any limit for subject alternative names in X.509? Also are there any rules for the SAN?
Upvotes: 29
Views: 33746
Answers (2)
Reputation: 5664
The Subject Alternative Name extension is fully specified by RFC 5280 section 4.2.1.6.
Some rules or notes about the use of this extension include:
The subject name MAY be carried in the subject field and/or the subjectAltName extension. Note that if any
dNSNameis present in the subjectAltName extension, then all DNS names should be included there, including those in the subject name field. See RFC 2818 for details.If the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present and marked as critical.
Subject alternative names MAY be constrained in the same manner as subject distinguished names using the name constraints extension. That is, the name constraints extension on a CA certificate can impose a name space within which all subject names (including alternative names) in subsequent certificates in a certification path MUST be located.
If the subjectAltName extension is present, the sequence MUST contain at least one entry. No upper bound is defined; implementations are free to choose an upper bound that suits their environment.
Unlike the subject field, conforming CAs MUST NOT issue certificates with subjectAltNames containing empty GeneralName fields.
The semantics of subject alternative names that include wildcard characters are not addressed by RFC 5280. However, RFC 6125 states "the wildcard character '*' SHOULD NOT be included in presented identifiers"
Upvotes: 9
Reputation: 4238
1. Also are there any rules for the SAN?
RFC5280 specifies Subject Alternative Names as
SubjectAltName ::= GeneralNames
whereby GeneralNames are
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
So, look the up the 'rules' for a GeneralName in the rfc (page 37).
2. Is there any limit for subject alternative names in X.509?
As stated in the same rfc in chapter Appendix B. ASN.1 Notes:
The SIZE (1..MAX) construct constrains the sequence to have at least
one entry. MAX indicates that the upper bound is unspecified
Upvotes: 21
Related Questions
- Certificate wildcard SAN gets ignored?
- How do Common Names (CN) and Subject Alternative Names (SAN) work together?
- What strings are allowed in the "common name" attribute in an X.509 certificate?
- Certificate is not including SAN names using openssl
- Distinguished Name length constraint in X.509 certificate
- SAN certificates with same common name and different SAN entries
- Invalid Common Name when using a SAN certificate
- SSL certificate - are wildcards in SAN extension allowed or not?
- x509 (server) cert signed by multiple CAs?
- Correct x509 Extentions for an SSLserver certificate