Subject Alternative Name limited to one DNS entry
sovamind opened this issue · 4 comments
The Subject Alternative Name extension is fully specified by RFC 5280 section 4.2.1.6.
Some rules or notes about the use of this extension include:
The subject name MAY be carried in the subject field and/or the subjectAltName extension. Note that if any DNSName is present in the subjectAltName extension, then all DNS names should be included there, including those in the subject name field. See RFC 2818 for details.
The semantics of subject alternative names that include wildcard characters are not addressed by RFC 5280. However, RFC 6125 states "the wildcard character '*' SHOULD NOT be included in presented identifiers"
Per these rules and browsers increasingly being strict in certificate checks. Portecle should be changed to support adding of multiple Subject Alternative Name fields in the extension. At a minimum mulitple DNS: entries should be supported to enable compatibility with the RFC spec. Ideally, additional fields such as email and IP should be allowed.
Suggested change:
Rather than asking for a single DNS field entry for SAN extension, the UI should allow a delimited string specifying all the field entries. This would be similar to the OpenSSL format, e.g.
subjectAltName=DNS:example.com,DNS:www.example.com,IP:10.0.0.1,Email:info@example.com
I'm not sure if this feature request has been completed. It's great that IP entries are now supported, but I'm not sure if the commit now allows multiple entries. We need to be able to support multiple DNS entries for some certificates which have multiple host names.
I'm not sure you're looking at the correct commit that was actually applied :)
994925f adds support for arbitrary number of SAN's of any type specified for a SAN. otherName, x400Address, and ediPartyName dont work though because of BouncyCastle limitations.
