character limit f5 subject alternative name

There was a question/answer some time ago about that, I tried to find without success. If I remember correctly, the limit was based in the implementation, and not the protocol.

These are the 2 solutions about this:

https://support.f5.com/csp/article/K13470

https://support.f5.com/csp/article/K13471

None of them talks about a limit.

Was it done via the Configuration Utility or on command line? Did you use the correct format "DNS:example1.com,DNS:example2.com,.... ?

Hello Jie!

I have created it in GUI and yes I was using the correct format since I was able to included the remaining 2 DNS when I have remove above 2 DNS. :) Would it be different if I created it in cli I am not very familiar in CLI :(

Thanks!

It would be good if it should give a different error message, should it fail again, which could tell us a bit more about this issue. You can follow article K13471, and run the tmsh command from within a shell script, for that would be easier for you to specify all those domains in a file.

I have created the following test script and could create some 1000 entries without a problem:

!/bin/sh

cd /tmp
cp /etc/pki/tls/openssl.cnf /tmp/
> /tmp/alt_names

for i in {1..1000}; do echo "DNS.$i=mydomain$i.com" >> /tmp/alt_names; done

echo '[SAN]' >> /tmp/openssl.cnf
echo 'subjectAltName=@alt_names' >> /tmp/openssl.cnf
echo '[alt_names]' >> /tmp/openssl.cnf
cat /tmp/alt_names >> /tmp/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/C=US/ST=New York/L=New York/O=Example, Inc./CN=example.com/emailAddress=test@example.com" -reqexts SAN -config /tmp/openssl.cnf -out domain.csr
openssl req -text -noout -verify -in domain.csr

There are limits in all systems, but they shouldn't be a problem here.