> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> 
> wrote:
> 
> A naïve question. A certificate that contains SAN attribute(s) – is there a 
> limit
> on how many, say, RFC822 SAN attributes can a valid certificate have?

None of the standard SAN types (DNS, Email, IP, ...) are limited to just one
entry.  If you try to have hundreds of them, eventually the certificate may
become too big for various protocols, but that's an explicit limit on the SAN
multiplicity.

> It’s been my understanding that a cert can contain as many SAN attributes as 
> needed,
> but it appears that Apple believes it has to be only one (because 
> certificates with
> more than one are not processed properly).

Perhaps CAs have rarely issued email certificates with multiple email 
addresses. 

> Sanity check: please validate – am I correct that having, say, two RFC822 
> email
> addresses in one cert is OK?

OpenSSL will accept multiple email SANs and with email name checks will accept
the certificate as valid so long as one of the addresses is a match.

-- 
        Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to