6

I have been searching through RFC 5280, 1034, and 1123 trying to figure out what a max string length is, but I can't find it. I'm wondering if any of you happen to know.

For those of you who know about X509v3 certificates, you know that you can include a Subject Alternative Name (SAN) in the cert. There are different types of SANs: email address, dns name, directory name, etc.

I'm adding SANs of type DNSName to my certificates and I cannot figure out what the maximum length is for SANs of type DNSName.

Do any of you know?

John Ruiz
  • 283
  • 1
  • 3
  • 9

2 Answers2

7

RFC 5280 specifies 1..MAX GeneralNames for SubjectAltName in 4.2.1.6:

SubjectAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

In Appendix B. it states that

The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 constructs. A valid ASN.1 sequence will have zero or more entries. The SIZE (1..MAX) construct constrains the sequence to have at least one entry. MAX indicates that the upper bound is unspecified. Implementations are free to choose an upper bound that suits their environment.

which means that the limit will be implementation dependent. This CA will sign certs with 150 alternate names, so presumably something will work with that many.

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • This would explain why I couldn't find it in the specs: it's implementation-dependent. Thanks! – John Ruiz Jun 09 '14 at 12:46
  • Using the macOS Certificate Assistant, a SubjectAltNames field of length 273 caused the certificate creation so silently fail. After having reduced to a length of 203, it worked. Makes me assume the magic limit may be at something around 255 characters. – not2savvy Sep 13 '22 at 11:29
0

It seems that when I tried it it limits to 36 characters for a single DNS name inside the Subj Alt Name

When I created the self signed cert using openssl we used this config

[req_ext]                              
subjectAltName = @alt_names
[alt_names]
DNS.1= *.somedomain.com
DNS.2= x111us-somedomain-com-1888222111.us-east-1.elb.amazonaws.com

When viewed from the browser it shows

Extension: Subject Alternative Name (2.5.29.17)
Critical: NO
DNS Name: *.test.com
DNS Name: x111us-somedomain-com-1851944707.us-

there are some missing chars on the 2nd DNS x111us-somedomain-com-1851944707.us-(some missing chars here***)

bherto39
  • 101
  • 1