search

scop / portecle

User friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more
http://portecle.sourceforge.net/
GNU General Public License v2.0
153 stars 47 forks source link

Subject Alternative Name limited to one DNS entry #55

Closed sovamind closed 5 years ago

sovamind commented 6 years ago

The Subject Alternative Name extension is fully specified by RFC 5280 section 4.2.1.6.

Some rules or notes about the use of this extension include:

The subject name MAY be carried in the subject field and/or the subjectAltName extension. Note that if any DNSName is present in the subjectAltName extension, then all DNS names should be included there, including those in the subject name field. See RFC 2818 for details.

The semantics of subject alternative names that include wildcard characters are not addressed by RFC 5280. However, RFC 6125 states "the wildcard character '*' SHOULD NOT be included in presented identifiers"

Per these rules and browsers increasingly being strict in certificate checks. Portecle should be changed to support adding of multiple Subject Alternative Name fields in the extension. At a minimum mulitple DNS: entries should be supported to enable compatibility with the RFC spec. Ideally, additional fields such as email and IP should be allowed.

Suggested change: Rather than asking for a single DNS field entry for SAN extension, the UI should allow a delimited string specifying all the field entries. This would be similar to the OpenSSL format, e.g. subjectAltName=DNS:example.com,DNS:www.example.com,IP:10.0.0.1,Email:info@example.com

sovamind commented 5 years ago

I'm not sure if this feature request has been completed. It's great that IP entries are now supported, but I'm not sure if the commit now allows multiple entries. We need to be able to support multiple DNS entries for some certificates which have multiple host names.

scop commented 5 years ago

I'm not sure you're looking at the correct commit that was actually applied :)

https://github.com/scop/portecle/commit/994925fd76e1b26f210e308d9a7c1ba0ed2a7d4e adds support for arbitrary number of SAN's of any type specified for a SAN. otherName, x400Address, and ediPartyName dont work though because of BouncyCastle limitations.

a13u commented 5 years ago

Should the names be separated with a comma in protecle as shown bellow? It seems not to work - can you give me an example? grafik

I want to create a certificate which looks like this screen but I was unable to achieve that...

scop commented 5 years ago

The error messages and tooltip describe the format, see end of 994925fd76e1b26f210e308d9a7c1ba0ed2a7d4e

Note also that this functionality is only in git, there's no release out with it yet, nor an estimated time for that.