/
(DC) Subject Alternative Name Field (SAN)

(DC) Subject Alternative Name Field (SAN)

Description

The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.

Subject Alternative Name (SAN) is an extension to the SSL Protocol; it allows various values to be associated with an SSL certificate using alternative names, for example:

  • Email addresses

  • IP addresses

  • DNS names or Common Name (FQDN)

  • Directory names or Distinguished Names

  • General Names or Universal Principal Names

 

Table of Contents

 

Untitled.png

Unless you need to have a SAN established for your certificate, it is recommended that you leave it blank.  It is not necessary.  The certificate authority might populate the SAN as part of the encoding process to included the host name or common name, but this is automatic and not required to be populated to have a certificate generated.

Valid SAN field entry prefixes

Not all certificates are SSL certificates, but just about all certificates support Subject Alternative Name (SAN).  Thus, there are additional valid prefixes that exist that can put into a CSR, but are NOT valid for SSL certificates, such as LDAP entries, code signing, etc..

Prefix

Valid for Certificate Type

Description/Purpose

Prefix

Valid for Certificate Type

Description/Purpose

DNS:

SSL

Provide additional FQDNs to the SSL Certificate that it will be validate.

IP:

SSL

Allows you to supply an IP address within the SAN list.  This is very unorthodox, as it is literally impossible to validate an IP, but sometimes required by an application or service as a way of providing the IP that the FQDN should resolve to as a security measure.

EMAIL:

SSL

Allows you to specify an email address in the SANs list.  This is usually only required for the certificate to be used to sign email communications and verify the owner of the certificate and domain.  Sometimes the application or service will send validation emails to the email address listed to ensure that the email is valid and can be responded to.

dn:
cn:
givenName:
telephoneNumber:
mail:
manager:
objectclass:
sn:

LDAP / LDIF

X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol (DAP), which required the Open Systems Interconnection (OSI) protocol stack. LDAP was originally intended to be a lightweight alternative protocol for accessing X.500 directory services through the simpler (and now widespread) TCP/IP protocol stack.

dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

OID:
or simply the OID itself.

URI

An OID corresponds to a node in the "OID tree" or hierarchy, which is formally defined using the ITU's OID standard, X.660. The root of the tree contains the following three arcs:

Each node in the tree is represented by a series of integers separated by periods, corresponding to the path from the root through the series of ancestor nodes, to the node. Thus, an OID denoting Intel Corporation appears as follows,

1.3.6.1.4.1.343

and corresponds to the following path through the OID tree:

  • 1 ISO

  • 1.3 identified-organization,

  • 1.3.6 DoD,

  • 1.3.6.1 internet,

  • 1.3.6.1.4 private,

  • 1.3.6.1.4.1 IANA enterprise numbers,

  • 1.3.6.1.4.1.343 Intel Corporation

A textual representation of the OID paths is also commonly seen; for example,

  • iso.identified-organization.dod.internet.private.enterprise.intel

Each node in the tree is controlled by an assigning authority, which may define child nodes under the node and delegate assigning authority for the child nodes. Continuing with the example, the node numbers under root node "1" are assigned by ISO; the nodes under "1.3.6" are assigned by the US Department of Defense; the nodes under "1.3.6.1.4.1" are assigned by IANA; the nodes under "1.3.6.1.4.1.343" are assigned by Intel Corporation, and so forth.

There are so many more fields and support data that are not supported by SSL certificates.  It is best to KISS (Keep It Small and Simple OR Keep it Simple, Stupid) and never put more information into a Certificate Signing Request than what is absolutely needed.

Troubleshooting

Alternative SAN Display


(invalid format, for display only)

There are defined standards on what a valid certificate signing request will entail and the proper values for the fields.  Unfortunately, not all tools and services follow these standards.

For example, in Windows, it will display the SAN as:  "DNS Name=aaa.bbb.ccc.edu"; which is an invalid format.   It is best never to use these as templates for supplying information when creating a CSR; but know it is just a another way of representing existing data.   Refer above, for valid field prefixes.

 

Non-Matching SAN Options

The SANs options you have entered do not match the SAN options on the original certificate.

This problem can occur for several reasons:

  • You added a space before or after the SAN.

  • There is a typo in the information you have provided.

  • You are entering the Common Name (CN) of the certificate as a SAN. Following regulations, we will always add your Common Name as a SAN, this does not need to be specified.

  • You incorrectly enter the SAN as a sub-domain, multi-domain name, internal SAN or IP. You need to choose the correct type of SAN which applies to the SAN. Please also check the above information on different SANs.

 

Confluence Documentation | Web Privacy Policy | Web Accessibility