Forum Discussion

cathy_123's avatar
cathy_123
Icon for Cirrostratus rankCirrostratus
Jan 16, 2017

character limit f5 subject alternative name

Guys

 

I am having issue creating .csr in f5. Do we have limit on character for Subject Alternative names? we have 1111 characters including spaces on Subject alternative name however it has an error " error occurred while processing your request". But when I delete few domains about 2 it was successful :( Please help

 

Thanks

 

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    Was it done via the Configuration Utility or on command line? Did you use the correct format "DNS:example1.com,DNS:example2.com,.... ?

     

  • Hello Jie!

     

    I have created it in GUI and yes I was using the correct format since I was able to included the remaining 2 DNS when I have remove above 2 DNS. :) Would it be different if I created it in cli I am not very familiar in CLI :(

     

    Thanks!

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    It would be good if it should give a different error message, should it fail again, which could tell us a bit more about this issue. You can follow article K13471, and run the tmsh command from within a shell script, for that would be easier for you to specify all those domains in a file.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    I have created the following test script and could create some 1000 entries without a problem:

    !/bin/sh
    
    cd /tmp
    cp /etc/pki/tls/openssl.cnf /tmp/
    > /tmp/alt_names
    
    for i in {1..1000}; do echo "DNS.$i=mydomain$i.com" >> /tmp/alt_names; done
    
    echo '[SAN]' >> /tmp/openssl.cnf
    echo 'subjectAltName=@alt_names' >> /tmp/openssl.cnf
    echo '[alt_names]' >> /tmp/openssl.cnf
    cat /tmp/alt_names >> /tmp/openssl.cnf
    
    openssl req -new -sha256 -key domain.key -subj "/C=US/ST=New York/L=New York/O=Example, Inc./CN=example.com/emailAddress=test@example.com" -reqexts SAN -config /tmp/openssl.cnf -out domain.csr
    openssl req -text -noout -verify -in domain.csr
    

    There are limits in all systems, but they shouldn't be a problem here.