Forum Discussion
Nimbostratuswhen creating a CSR on the LB for a SAN, is there a limitation on the number of names that can be created?
I have created several CSR's for SAN certs but am getting an error when trying to create one that has a high number of URL's - 80 - Is there a limitation to the number of names that can be created from the F5 LB?
2 Replies
Leonardo_SouzaCirrocumulus
The solution about SAN that does not indicates any limitation:
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13470.html
Also, the RFC does not define a limit:
https://tools.ietf.org/html/rfc5280
" SubjectAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName"
"The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 constructs. A valid ASN.1 sequence will have zero or more entries. The SIZE (1..MAX) construct constrains the sequence to have at least one entry. MAX indicates that the upper bound is unspecified. Implementations are free to choose an upper bound that suits their environment."
The implementation of the protocol may or may not limit that. However, you will be limited by other protocols limitation, as TLS is limited for example.
https://tools.ietf.org/html/rfc5246section-6.2
"length The length (in bytes) of the following TLSPlaintext.fragment. The length MUST NOT exceed 2^14."
JinshuCirrus
Upper boundary is not defined for SAN certificates. You can create 'N' number of URLs in the SAN.
Did youn try creating it from tmsh utility?
You can put as many DNS names, separating each domain name with a comma.
create /sys crypto key key_name gen-certificate common-name "Example Inc." country "US" lifetime 3650 subject-alternative-name "DNS:www.exchange.example.com, DNS:www.example.com"-Jinshu
