On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote:
>
> I am using OpenSSL to create a self sign certificate and have a need to add
> approximately 4000, yes 4000, DNS entries (don't ask why) using Subject
> Alternative Name. I have succeeded in creating a certificate with 500 DNS
> entries and it works just fine with no noticeable latency accessing the web
> sites listed via the SAN in the certificate. However, I run into a problem
> when I create a certificate with more than 500 SAN entries. OpenSSL creates
> the certificate and there are no indications of any problems. After
> installing the new certificate, however, I can no longer access any of the
> sites where the certificate is installed.
Can you report the out of:
$ openssl x509 -in cert.pem -outform DER | wc -c
for the "small-enough" and "too-big" certificates? The SSL/TLS record
layer has a maximum record size, a certificate probably needs to fit
into one record, so if your 500+ domains generate a certificate that
is larger than ~16K bytes, you may be out of luck.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
