Return values of get_certificate_subject_alternative_name_bundle()

Here's an example:

2013-01-01 08:19:23 DEBUG: Executing iControl method: System.Session.set_active_folder((), {'folder': '/test'})

2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_list((), {'mode': 'MANAGEMENT_MODE_DEFAULT'})

2013-01-01 08:19:23 DEBUG: cert_list = [{'certificate': {'bit_length': 1024, 'cert_info': {'email': None, 'id': '/test/wildcard.api.test.com'}, 'cert_type': 'CTYPE_CA_SIGNED_NO', 'expiration_date': 1388404800, 'expiration_string': 'Dec 30 12:00:00 2013 GMT', 'issuer': {'common_name': 'DigiCert High Assurance CA-3', 'country_name': 'US', 'division_name': 'www.digicert.com', 'locality_name': None, 'organization_name': 'DigiCert Inc', 'state_name': None}, 'key_type': 'KTYPE_RSA_PUBLIC', 'serial_number': '03:d1:32:ab:9f:4b:a3:bb:da:5e:a9:2d:48:f5:aa:aa', 'subject': {'common_name': '*.api.test.com', 'country_name': 'US', 'division_name': None, 'locality_name': 'Your Mom', 'organization_name': 'My Mom, Inc.', 'state_name': 'California'}, 'version': 3}, 'file_name': '/test/wildcard.api.test.com.crt', 'is_bundled': True}] 2013-01-01 08:19:23 DEBUG: cert_id_list = ['/test/wildcard.api.test.com'] 2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.certificate_check_validity((), {'cert_ids': ['/test/wildcard.api.test.com'], 'mode': 'MANAGEMENT_MODE_DEFAULT', 'watermark_days': [365]}) 2013-01-01 08:19:23 DEBUG: cert_validity_state_list = ['VTYPE_CERTIFICATE_WILL_EXPIRE']

2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/test/wildcard.api.test.com.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'})

2013-01-01 08:19:23 DEBUG: subject_alt_list = [['DNS:api.test.com, DNS:*.api.test.com', '', '']]

For the list of lists returned by get_certificate_subject_alternative_names(), what are last two empty strings in index 0 of the outer list supposed to represent? (I only pass in one filename so we are only concerned with index 0.) I can see that the actual SAN list is in index 0, but what are index 1 and 2?

When you look at the /Common/ca-bundle.crt, what gets returned is even more obtuse. It's entirely full of empty strings except for a random comma that gets thrown into the middle.

2013-01-01 08:19:19 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/Common/ca-bundle.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'}) 2013-01-01 08:19:20 DEBUG: subject_alt_list = [['', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ', ', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '']]

From a practical standpoint, I can just search the returned values for "DNS:" and not worry about the other stuff that gets returned. I'm just wondering if this is some weird bug I am hitting or if those fields are supposed to be returning something else?

Thanks,

-M

Here's an example:

2013-01-01 08:19:23 DEBUG: Executing iControl method: System.Session.set_active_folder((), {'folder': '/test'})
2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_list((), {'mode': 'MANAGEMENT_MODE_DEFAULT'})
2013-01-01 08:19:23 DEBUG: cert_list = [{'certificate': {'bit_length': 1024, 'cert_info': {'email': None, 'id': '/test/wildcard.api.test.com'}, 'cert_type': 'CTYPE_CA_SIGNED_NO', 'expiration_date': 1388404800, 'expiration_string': 'Dec 30 12:00:00 2013 GMT', 'issuer': {'common_name': 'DigiCert High Assurance CA-3', 'country_name': 'US', 'division_name': 'www.digicert.com', 'locality_name': None, 'organization_name': 'DigiCert Inc', 'state_name': None}, 'key_type': 'KTYPE_RSA_PUBLIC', 'serial_number': '03:d1:32:ab:9f:4b:a3:bb:da:5e:a9:2d:48:f5:aa:aa', 'subject': {'common_name': '*.api.test.com', 'country_name': 'US', 'division_name': None, 'locality_name': 'Your Mom', 'organization_name': 'My Mom, Inc.', 'state_name': 'California'}, 'version': 3}, 'file_name': '/test/wildcard.api.test.com.crt', 'is_bundled': True}] 2013-01-01 08:19:23 DEBUG: cert_id_list = ['/test/wildcard.api.test.com'] 2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.certificate_check_validity((), {'cert_ids': ['/test/wildcard.api.test.com'], 'mode': 'MANAGEMENT_MODE_DEFAULT', 'watermark_days': [365]}) 2013-01-01 08:19:23 DEBUG: cert_validity_state_list = ['VTYPE_CERTIFICATE_WILL_EXPIRE']
2013-01-01 08:19:23 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/test/wildcard.api.test.com.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'})
2013-01-01 08:19:23 DEBUG: subject_alt_list = [['DNS:api.test.com, DNS:*.api.test.com', '', '']]

For the list of lists returned by get_certificate_subject_alternative_names(), what are last two empty strings in index 0 of the outer list supposed to represent? (I only pass in one filename so we are only concerned with index 0.) I can see that the actual SAN list is in index 0, but what are index 1 and 2?

When you look at the /Common/ca-bundle.crt, what gets returned is even more obtuse. It's entirely full of empty strings except for a random comma that gets thrown into the middle.

2013-01-01 08:19:19 DEBUG: Executing iControl method: Management.KeyCertificate.get_certificate_subject_alternative_name_bundle((), {'file_names': ['/Common/ca-bundle.crt'], 'mode': 'MANAGEMENT_MODE_DEFAULT'}) 2013-01-01 08:19:20 DEBUG: subject_alt_list = [['', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ', ', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '']]

From a practical standpoint, I can just search the returned values for "DNS:" and not worry about the other stuff that gets returned. I'm just wondering if this is some weird bug I am hitting or if those fields are supposed to be returning something else?

Thanks,

-M

And I seriously hate the brain code quoting abilities of the forum software! FAIL! :( Hopefully you could decipher something from my post.

Hi mhite,

 

 

Take a look at the iControl Method description for that method. Might help explain the behavior.

 

 

get_certificate_subject_alternative_name_bundle.

 

 

 

Gets the list of all certificate subject alternative names bundled in the certificate files as specified by the file_names. Each file_name will contain multiple certificate subject alternative names. Note: only call this method when the results of get_certificate_list indicate that there are multiple certificates bundled in a particular file.

 

 

 

For the ca_bundle that you ran it on, that's the default list of Trusted Root CA Certificates and the massive output shows that none of the certificates stored in the bundle have any SAN's.

 

 

Hope this helps.

Thanks, Michael.

 

 

The part that is strange is that the output seems to include a random comma.

 

 

subject_alt_list = [['DNS:api.test.com, DNS:*.api.test.com', '', '']]

 

 

What is that last element?

Hi mhite,

 

 

That's a good question. I'll try and code something up and see if I get similar results.

 

Thanks, Michael. Will be interesting to see what behavior you see in your tests.

 

 

-M

 

Hi mhite,

 

I completed building the tool and did some testing, but DevCentral is not allowing me to display the images that I captured showing you.

 

Even though the method claims "Note: only call this method when the results of get_certificate_list indicate that there are multiple certificats bundled in a particular file" it did work well with some valid SAN Certificates that I had on the system.

 

I did not get the strange behavior that you got. It was just a single comma delimited string with the two SAN's.

 

When I ran it on the default ca_bundle.crt I simply got back 135 blank entries.

 

Interesting. What version are you running?

 

 

Also, my certificates are from Digicert -- how about you?

I'm running v11.2.0 HF1.

 

 

Our Certificate Authority is Entrust for the Advantage Multi-SAN Certificates that I tested.