IETF Logo Mail Archive

[pkix] Syntax of Subject Alternative Names field in a certificate

Andreas Maier <maiera@de.ibm.com> Tue, 16 April 2024 12:12 UTC

Return-Path: <maiera@de.ibm.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03473C14F712 for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 05:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.994
X-Spam-Level:
X-Spam-Status: No, score=-6.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibm.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJBKbyfPePR1 for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 05:12:07 -0700 (PDT)
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E105C14F6FE for <pkix@ietf.org>; Tue, 16 Apr 2024 05:12:07 -0700 (PDT)
Received: from pps.filterd (m0353722.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 43GBKBEt010616 for <pkix@ietf.org>; Tue, 16 Apr 2024 12:12:06 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pp1; bh=ZVknPAe6n3dg46vV/kxODGwPJux149lOXzm054ZboUg=; b=ftGMy7tFSNEwFhm3F8g4O7rnh4ZN2lQkQHXmM0idA+sG3JIrkrXut9jZ9JivtS1uXG1Y HcByA4syidMJrkrMLxxQbQ+IPA2uTmadW9V0UxYZKNPqffcNvNAVvM6E61HxKXuo9AU4 zRpUIKVcHilEk9cx0USfGjm+xpCerUnpEVSolk2KR2HfDiV5+OTZYM1Mn/NKfHvIPROZ 3DYnajFLlRRKoNGb/HoVIPcATTcTpf+QjeioJJJFJixz1r1jCZA+zANlhmymnrOx5/pa XTw43xNx6/aENnGDW6WKmREqDEXxQD878jxkBTD7RdPFrkXp3zYPiCocjhOevBE0Vwm0 iQ==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2169.outbound.protection.outlook.com [104.47.55.169]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3xhrbqg3e9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <pkix@ietf.org>; Tue, 16 Apr 2024 12:12:05 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J7Ii8LwNxoPuhxqu4TwQJoJmbCdAp/sC/8TPJZd0PvbJzbkB4s6HmqV4/rZCgVIaKjBdGAy4J+TBcMptP8mmycHaMpetrCIcmDXgZAWRvu5RgRYY3NUGObADblMtzDWnHDsDdUN5Q2IAD45jG2oAyY0t3wRhxbF1WM6Bj0/KqFfon3TJhNPHqS4B7NUG0m15FmrwIu/RjQyDSz5yeFAj7gpSykobHEWiXmAj8W/yjTx9vNI7w1whMBi3vyf1qPm8iLGSTbu7sGqod8WqaxAOIZpM7y5iaMUcVfCTPfbfo7xqur2LQFMNW2FnSrMCWnfY7Mtsv3CCi3PCQUr+6+PkVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZVknPAe6n3dg46vV/kxODGwPJux149lOXzm054ZboUg=; b=I4Oc1zFmKlkNeyRhn+r/p90qJG3G6lXkvUXbcJ9OlYRb7+FwtokXoMYXaWnZSC/+CX2f+6hI++JlZXusVcgmMMuRM+hZPUeB8mavfF+nOI9YM6hVcJvY3N9tA0ah1t2pUx0EiMN+/eY/kfb+Q5Usgy4IPgMrWr1em6L/vxCaLlBMDRqAnJ3mv2TVbei3Gnn+pAfKSkAyQghlh94vPGNnPM68wQOPd2dSqvIuKFi1RcfRdjmusNwX4XVkdNOcQ7m8YNkNjepphYAEoi5QK9Vq5I2Z9hGz+0XjeHaKacz80kFhf/6AuqEHGmLxvVyp8wb5M+lGWDG1nKm+eVcRwumXKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=de.ibm.com; dmarc=pass action=none header.from=de.ibm.com; dkim=pass header.d=de.ibm.com; arc=none
Received: from BY1PR15MB6150.namprd15.prod.outlook.com (2603:10b6:a03:526::5) by BY3PR15MB4978.namprd15.prod.outlook.com (2603:10b6:a03:3c5::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Tue, 16 Apr 2024 12:12:04 +0000
Received: from BY1PR15MB6150.namprd15.prod.outlook.com ([fe80::12a0:697:d2ce:80bc]) by BY1PR15MB6150.namprd15.prod.outlook.com ([fe80::12a0:697:d2ce:80bc%7]) with mapi id 15.20.7409.053; Tue, 16 Apr 2024 12:12:04 +0000
From: Andreas Maier <maiera@de.ibm.com>
To: IETF pkix mailing list <pkix@ietf.org>
Thread-Topic: Syntax of Subject Alternative Names field in a certificate
Thread-Index: AQHaj/TVkx7WiZmGFUuzAqRhe1Lp67FqzgNB
Date: Tue, 16 Apr 2024 12:12:04 +0000
Message-ID: <BY1PR15MB6150B48C505432B45AC299F5EF082@BY1PR15MB6150.namprd15.prod.outlook.com>
References: <BY1PR15MB6150E0A016987E14C1991B40EF082@BY1PR15MB6150.namprd15.prod.outlook.com>
In-Reply-To: <BY1PR15MB6150E0A016987E14C1991B40EF082@BY1PR15MB6150.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY1PR15MB6150:EE_|BY3PR15MB4978:EE_
x-ms-office365-filtering-correlation-id: ad2d196c-513d-4e50-87b0-08dc5e0e6da2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Vd2FV4I6L58zl3qxtBaxNThVYvGW7nhdfXPHukxJLoSuaykYB7fghbSxhWyonOHjoJEdz7ah3RONsJ3Mg5adRFmeEYTTQ7wdNKct2163/r4xesLo99EiEVasp5ZjYskfu87L8Jqo7UAz5/h+FZOleI0WgNUKyZtdmdAgrk4DW8D0su2FwCOX3WzDsVuOLBsLpxbsfFR4sBdJwZVb8E7cxdBb+BGx8Xm+gZtyigOLo4AtLydt44zjzioDD8IsUPhHBdNitFmcKAo3pH19PxrnZy7JJHUrEf41jU70Z2WgbClqQ/sNRVPyfzS8myxuwLkB25hbheETToiKB2Prv3P2F+B1TYV/f7z20hE6hpMoNCFFZO3P/khdDLvwj/FzSk/Dd10myTM7JiHE8CihutTnrNgCZjOV5683T1OPk0nbk915H3K2CFU6Ks1gRsx74WtYWJyLXTSteR5OLZbbXhsi7dsnYs7BrTJuGhNttK7wjeY/29vUfpWfNp8kABEe7iW0m1nFNK4o+iuVcqXr5chp04YuDdRIYZBaAY0mLugWju5jAl90FTOAY1GysAm0kiw9k2ONEeT6v0SHGiSBp1iEPTe7vNniA9fWSBwTolO2WFWkOKT+3pSuxoZQZp8ksRAaLunDzpHlrl8sf2LAJmq+jiuC/0N9LHt8XaM/vE2K/E8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY1PR15MB6150.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xwURH7JBhO6adi/i0s+2gLDcHpgoT+pR8uYSI/yleEWCYcv1itl+/y31VnW11tu63vnY3KQzFjZOeB3xqkrua9R0sfUODTkJEiL81XyehPUfGnFh8JAV+ehFBxzgPxdRnauOBASG5XHp6Le1dq2/Kzb8ngU46aYvfnL098bWPdqtIs4ZGK/TX5efpLebyxvmUaE4BNqxA2B4uVHR1hWkaKn/KKnuj1YDq4OOQDA3sgeX/3RkRT27l0w2TqQbtCQL8A/AJhGq359XLCobysvp/nVfSxrZuJ5XNjyoUAHNSefW6piA/zHo3wTnjHd8OlPQ+BE08PQpEMdL4TxkGRO2n4FUIVLI3rsmp3+KQGLCRSuuXF2+eaURoRlaonzvVGSV5/Fys10x0VNNi5Vc/zv2R5l8Y2AsOHomvX1eRDL5toYuGqoGc/YdUsUn3JGV6dUkFYp2KC5r/rP/CyKrnOsA4a3hxNlmOltNzO0oVF5DuqVzlUlUhWe6OBApNheY9Y3KreE2AaViUTtiCRtXjO9plrwYCQJQPZDbhz6sdx/8RVepepPtxJhsW4gDITcSXE/3t5Mq9rcUXpIqJbFn4NstFzNrWHTZtZP4soVSPoa+6J81W4prpmi2DySAE1pbY040+bgZiSRIF3qtDdijourtA5VX5phVArn1BaYO+OqLkj3kh6n0Ax3R+umsIj8tnY3PPnr83jF51zNKrOW4Zv5wTobR8TgDu0bP/RozKVZBTKRqZliURzApvfafRx+d1yOQmIMWc7oypw24WUZZhUgJNse4TqjclAF/lfwa6yArPE2Y6hA8BPhRjaJCNaJ6HTc+vktByOohATaNDvmy0UfyoOaKfzMDi33zNt9Hk38zvgCwIzm0HVbwqdTr/3b11oXuGpdyYugnnIfblUY7uRHArByYSOr82Ggurs9w0ETwBJdwA24MkOrJqMCvFahfs2wvDmVa6b/UAMTtd7gAcWkftm8Leu1/QdkIE98cC53uILTQn634mkUnAmc5PH4v/TSYiWBx1xdxZNY+xLRoD5rOOxzP/U0fSstgnRpbJDyY812dKJ+ZU4Bg8D2cCAC57EonL5hwEspXGwOLyIj9QDzgjqCTD6wy2UInkNMsqVyWrgw4DMtx0Jd+Pw0OlhUV4mq0uX1dauFNK1PLH/rkxVOpOmub4XNGRDOkUTuGfq75zs3lxmO4EJ9Nc50kWl17K8mjmTSGqo5IMW1PPYtooiJOCQYioN5z1AgfCadNOogGT4kbSbH8MSoQRjcXzNkRaVx7nWbZZ5Ce9X2+upLqWvAt9pkREQ45p2UK60Zb4QV6itpZUcVCjuQf6FhBQUNdFNmjGWLCrI0DT9PpE1xa53YOfoxE+prJP0B2UgSBt2yEhZWCCXRlTQeJbBme4UxcSJH67tigjG5TPVIATDIzFdyRsVwKkMrixrtikb00r8StOkHTigEjPyfdhalkp1Grbcskk6y477BeH3HLoEnhvMJE3niIdnE8FqlvKKsBbPS/kqVPBQFUi6nZrcX6C6saaectPXY11kBFajR7wG0td93S01Jerql9bJ4kpqVCqnkeapArxB01HGH3XfD9UwfBpU+4FQ8TnDnIo+RKKecr7iD2jA==
Content-Type: multipart/alternative; boundary="_000_BY1PR15MB6150B48C505432B45AC299F5EF082BY1PR15MB6150namp_"
X-OriginatorOrg: de.ibm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY1PR15MB6150.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ad2d196c-513d-4e50-87b0-08dc5e0e6da2
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2024 12:12:04.1060 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fcf67057-50c9-4ad4-98f3-ffca64add9e9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ALo1ifwlWNqnSy5hwr5XVEir6O4jhaEXiW3QjYkHbXDcze0FACzifs2a9894Chqwu/qe+gd0EL4ZYVw9LWbg4Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR15MB4978
X-Proofpoint-GUID: S5nQHLNiUYRPFxmflriU8F6e1a9_D9na
X-Proofpoint-ORIG-GUID: S5nQHLNiUYRPFxmflriU8F6e1a9_D9na
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-16_08,2024-04-16_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 impostorscore=0 clxscore=1015 mlxlogscore=999 lowpriorityscore=0 phishscore=0 malwarescore=0 suspectscore=0 mlxscore=0 spamscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2404010000 definitions=main-2404160075
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/z7qVcd0wTiFaT2_GIMH2RG6c-jg>
Subject: [pkix] Syntax of Subject Alternative Names field in a certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 12:12:12 -0000

Hi, I am trying to understand what the syntax is for the string value of the Subject Alternative Names field, particularly when it contains multiple entries.

I was hopeful to find that in https://datatracker.ietf.org/doc/html/rfc5280 which as a section 4.2.1.6<https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6> “Subject Alternative Name” but I could not get that out of the syntax description in there.

I can find examples which seem to suggest it is a comma-separated list of items, each of which has a type indicator (e.g. “DNS”), as in:

DNS:{hostname1},IP:{ip2},email:{email},URI:{uri4}

Some sources for the examples:

  *   https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
  *   https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094754en_us&docLocale=en_US&page=index.html
  *   https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/ use:
Where is the syntax of the Subject Alternative Names field documented in an RFC?
Are the type indicators mandatory or optional?

Kind regards,
Andy

v2.23.0 | Report a Bug | By Email