On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote: > > I am using OpenSSL to create a self sign certificate and have a need to add > approximately 4000, yes 4000, DNS entries (don't ask why) using Subject > Alternative Name. I have succeeded in creating a certificate with 500 DNS > entries and it works just fine with no noticeable latency accessing the web > sites listed via the SAN in the certificate. However, I run into a problem > when I create a certificate with more than 500 SAN entries. OpenSSL creates > the certificate and there are no indications of any problems. After > installing the new certificate, however, I can no longer access any of the > sites where the certificate is installed.
Can you report the out of: $ openssl x509 -in cert.pem -outform DER | wc -c for the "small-enough" and "too-big" certificates? The SSL/TLS record layer has a maximum record size, a certificate probably needs to fit into one record, so if your 500+ domains generate a certificate that is larger than ~16K bytes, you may be out of luck. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org