Subject Alternative Name


Subject Alternative Name (subjectAltName or SAN) attribute is an Certificate Extensions to X.509 that allows additional Certificate Subject names to be associated with certificate.[1]

Subject Alternative Name MAY include:

Subject Alternative Name and IP Address#

RFC 5280 section specifies iPAddress alternative name format, designed to hold dotted quads (IPv4) or 16 octets (IPv6).

Browser/client compatibility will vary.

You can specify a dotted quad in a dNSName field of the SAN. To quote RFC 5280:
The name MUST be in the "preferred name syntax", as specified by Section 3.5 of RFC 1034 and as modified by Section 2.1 of RFC 1123 The latter suggests that software should be tolerant of finding IP addresses in "host name" fields:

Whenever a user inputs the identity of an Internet host, it SHOULD be possible to enter either

  • (1) a host domain name or
  • (2) an IP address in dotted-decimal ("#.#.#.#") form.
The host SHOULD check the string syntactically for a dotted-decimal number before looking it up in the Domain Name System.

Please note also that, per RFC 5280: Because the dNSName is considered to be definitively bound to the Public Key, all parts of the Subject Alternative Name MUST be verified by the CA.

When we last checked, the following IGNORED IP Address and expect the value as string in dNSName:

  • MSIE and MS Edge
  • Python 2.
but: do not expect an IP Address as dNSName but need it as iPAddress.

More Information#

There might be more information for this subject on one of the following: