Overview#
Subject Alternative Name (OID 2.5.29.17) (subjectAltName or SAN) attribute is an Certificate Extensions to X.509 that allows additional Certificate Subject names to be associated with certificate.[1] If the Certificate Authority issues certificates with an empty sequence for the Certificate Subject, the CA MUST support the Subject Alternative Name Certificate ExtensionSubject Alternative Name MAY include:
- Email addresses
- IP Address
- URIs
- DNS names (alternatives to the Common Name)
- directory names (alternatives to the Distinguished Names)
- other objects, given as a registered Object Identifier followed by a value
Subject Alternative Name and IP Address#
RFC 5280 section 4.2.1.6 specifies iPAddress alternative name format, designed to hold dotted quads (IPv4) or 16 octets (IPv6).Browser/client compatibility will vary.
You can specify a dotted quad in a dNSName field of the SAN. To quote RFC 5280:
The name MUST be in the "preferred name syntax", as specified by Section 3.5 of RFC 1034 and as modified by Section 2.1 of RFC 1123
The latter suggests that software should be tolerant of finding IP addresses in "host name" fields:
Whenever a user inputs the identity of an Internet host, it SHOULD be possible to enter either
- (1) a host domain name or
- (2) an IP address in dotted-decimal ("#.#.#.#") form.
Please note also that, per RFC 5280: Because the dNSName is considered to be definitively bound to the Public Key, all parts of the Subject Alternative Name MUST be verified by the CA.
When we last checked, the following IGNORED IP Address and expect the value as string in dNSName:
- MSIE and MS Edge
- Python 2.
More Information#
There might be more information for this subject on one of the following:- 2.5.29.17
- Certificate Extensions
- Certificate Subject
- Certificate Validation
- Example Certificate
- NameConstraints
- OpenSSL Commands
- SAN
- Site Certificate
- Subject
- Subject Alternative Name
- SubjectAltName
- [#1] - SubjectAltName
- based on 2013-11-18