Re: [pkix] Syntax of Subject Alternative Names field in a certificate
Michael StJohns <msj@nthpermutation.com> Tue, 16 April 2024 15:52 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69324C14CF18 for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 08:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ho2xMSqMB41U for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 08:52:20 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65203C14CF01 for <pkix@ietf.org>; Tue, 16 Apr 2024 08:52:20 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-78d62c1e82bso306525585a.3 for <pkix@ietf.org>; Tue, 16 Apr 2024 08:52:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1713282738; x=1713887538; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=T2g0PduwOZcxl3Z6w5hUf2jHutDKVDoeysWaBmAnw1Q=; b=htlEi4QOUW+s9jq508/oG9GXJ3ucfBqVAWA1vB9L08maFGXsGT+LJkmHeIIiJXiF43 1ieqLOS0PiRd99lfkR1DkKJ8I9q1/pYPCgb5XcwCsyVfzlXXzhqvqC+Q5J9jRCtSV/2q S152DCa9VLViPtaRAif02a7EraR4zZTmRRehtdmnOjSGS577W6/kM7sUGnF+TyM2lbnV g0LhfkRo+V2vgsld/qbtVadTj/KhzEcvfOccCvfoazwTd9KZqgoKq4M4gukmuqr8tKXh jYbnCb6ZvLK5NoGHIdSil1BbwJAj2X66xvbGuVl8e5Q8zTI2eJkV3blTTITsyzCHEq0K BFfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713282738; x=1713887538; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=T2g0PduwOZcxl3Z6w5hUf2jHutDKVDoeysWaBmAnw1Q=; b=J50AK131F9JBUrcDBMkJhgENtxQwBlx9OBGkaYdtm5kjEB8ZRcu/Hil/7pVti0zopq PF61dKTXCr3/HIRBNaMmWMWla2ilCJivkcah/QD937laBkyDJ2o4d8fzGWH3Desxcw0b frM4j8DhR5jLfj+SHib+FRIJr7fDix5or4e1P2r+0m7479wmhU40GrSZ0GVe7S4NNIGP YLszOaCNX0D6eyfRYd72tB/UZNwCBXNWR/E2JeoUk98FscOxEgcbW2IoHyuDaumnjRnX rSayqJZ+OCByIABzKKN9Bh6F5lgMIP19jqfpZeiwrOwtkvxR5Jgx3sQ5x+vJYR0Y4Hav +F6g==
X-Gm-Message-State: AOJu0Yw4Z+0dsmHB7busOSA6clOLyB1uEh4GoqmYKK0Uzzf6ZjZMgwI3 EemhS5lYDg0q+w9qD7S1tLduwbHXmk02Tuo8aFhCYl3nnaHjlN5ZNA2rRVycZQKjvZxxoA4vW4o t
X-Google-Smtp-Source: AGHT+IFHRdg+6aZd+QodGVT5Ivfu7p0G1yYDP7ITUzbOZy/d6cfbWVQw8AXT2ikHZ6B9EY0g9QoSAA==
X-Received: by 2002:a05:620a:819:b0:78e:d2a8:b4de with SMTP id s25-20020a05620a081900b0078ed2a8b4demr10711918qks.20.1713282738016; Tue, 16 Apr 2024 08:52:18 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id u13-20020a05620a084d00b0078a04882ac2sm7547891qku.53.2024.04.16.08.52.16 for <pkix@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 Apr 2024 08:52:17 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------FkJehrwQaNq0JthZGWWVHpaI"
Message-ID: <4bc8e888-232a-4298-b10f-441ce7d41e7a@nthpermutation.com>
Date: Tue, 16 Apr 2024 11:52:15 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: pkix@ietf.org
References: <BY1PR15MB6150E0A016987E14C1991B40EF082@BY1PR15MB6150.namprd15.prod.outlook.com> <BY1PR15MB6150B48C505432B45AC299F5EF082@BY1PR15MB6150.namprd15.prod.outlook.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <BY1PR15MB6150B48C505432B45AC299F5EF082@BY1PR15MB6150.namprd15.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/vz5RctayfWYpGAZ8qjg54Yo_1JY>
Subject: Re: [pkix] Syntax of Subject Alternative Names field in a certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 15:52:24 -0000
Hi Andreas - You appear to be asking about how to make Openssl issue a cert with an SAN. That's not a topic for this list. This list is about IETF standards in the Public Key Infrastructure field of use. If you have a question about the ASN1 that goes into making an SAN OtherName, that would be more appropriate for this list. I'd suggest referring your questions to the OpenSSL community, or going to the repository and reading the code directly. Good luck - Mike On 4/16/2024 8:12 AM, Andreas Maier wrote: > > Hi, I am trying to understand what the syntax is for the string value > of the Subject Alternative Names field, particularly when it contains > multiple entries. > > I was hopeful to find that in > https://datatracker.ietf.org/doc/html/rfc5280 which as a section > 4.2.1.6 > <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6> > “Subject Alternative Name” but I could not get that out of the syntax > description in there. I can find examples which seem to suggest it is > a comma-separated list of items, each of which has a type indicator > (e.g. “DNS”), as in:|DNS:{hostname1},IP:{ip2},email:{email},URI:{uri4}| > > Some sources for the examples: > > * https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html > * https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094754en_us&docLocale=en_US&page=index.html > <https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094754en_us&docLocale=en_US&page=index.html> > * https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/ use: > > Where is the syntax of the Subject Alternative Names field documented > in an RFC? > Are the type indicators mandatory or optional? > > Kind regards, > > Andy > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Syntax of Subject Alternative Names field … Andreas Maier
- Re: [pkix] Syntax of Subject Alternative Names fi… Jeffrey Walton
- Re: [pkix] Syntax of Subject Alternative Names fi… Michael StJohns
- Re: [pkix] Syntax of Subject Alternative Names fi… Denis
- Re: [pkix] Syntax of Subject Alternative Names fi… George Michaelson