> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: > > A naïve question. A certificate that contains SAN attribute(s) – is there a limit > on how many, say, RFC822 SAN attributes can a valid certificate have? None of the standard SAN types (DNS, Email, IP, ...) are limited to just one entry. If you try to have hundreds of them, eventually the certificate may become too big for various protocols, but that's an explicit limit on the SAN multiplicity. > It’s been my understanding that a cert can contain as many SAN attributes as needed, > but it appears that Apple believes it has to be only one (because certificates with > more than one are not processed properly). Perhaps CAs have rarely issued email certificates with multiple email addresses. > Sanity check: please validate – am I correct that having, say, two RFC822 email > addresses in one cert is OK? OpenSSL will accept multiple email SANs and with email name checks will accept the certificate as valid so long as one of the addresses is a match. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
