Forum Discussion

mikeygirod_2847's avatar
mikeygirod_2847
Icon for Nimbostratus rankNimbostratus
Oct 19, 2016

when creating a CSR on the LB for a SAN, is there a limitation on the number of names that can be created?

I have created several CSR's for SAN certs but am getting an error when trying to create one that has a high number of URL's - 80 - Is there a limitation to the number of names that can be created from the F5 LB?

 

2 Replies

  • The solution about SAN that does not indicates any limitation:

     

    https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13470.html

     

    Also, the RFC does not define a limit:

     

    https://tools.ietf.org/html/rfc5280

     

    " SubjectAltName ::= GeneralNames

     

    GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName"

     

    "The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 constructs. A valid ASN.1 sequence will have zero or more entries. The SIZE (1..MAX) construct constrains the sequence to have at least one entry. MAX indicates that the upper bound is unspecified. Implementations are free to choose an upper bound that suits their environment."

     

    The implementation of the protocol may or may not limit that. However, you will be limited by other protocols limitation, as TLS is limited for example.

     

    https://tools.ietf.org/html/rfc5246section-6.2

     

    "length The length (in bytes) of the following TLSPlaintext.fragment. The length MUST NOT exceed 2^14."

     

  • Upper boundary is not defined for SAN certificates. You can create 'N' number of URLs in the SAN.

    Did youn try creating it from tmsh utility?

    You can put as many DNS names, separating each domain name with a comma.

    create /sys crypto key key_name gen-certificate common-name "Example Inc." country "US" lifetime 3650 subject-alternative-name "DNS:www.exchange.example.com, DNS:www.example.com"

    -Jinshu