[openssl-users] How many SAN entries...?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 26 17:13:15 UTC 2017

> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> A naïve question. A certificate that contains SAN attribute(s) – is there a limit
> on how many, say, RFC822 SAN attributes can a valid certificate have?

None of the standard SAN types (DNS, Email, IP, ...) are limited to just one
entry.  If you try to have hundreds of them, eventually the certificate may
become too big for various protocols, but that's an explicit limit on the SAN

> It’s been my understanding that a cert can contain as many SAN attributes as needed,
> but it appears that Apple believes it has to be only one (because certificates with
> more than one are not processed properly).

Perhaps CAs have rarely issued email certificates with multiple email addresses. 

> Sanity check: please validate – am I correct that having, say, two RFC822 email
> addresses in one cert is OK?

OpenSSL will accept multiple email SANs and with email name checks will accept
the certificate as valid so long as one of the addresses is a match.


More information about the openssl-users mailing list