That was it. One @ 13k works and one @18k doesn't. Thanks Victor. Ron
Victor Duchovni wrote: > > On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote: > >> >> I am using OpenSSL to create a self sign certificate and have a need to >> add >> approximately 4000, yes 4000, DNS entries (don't ask why) using Subject >> Alternative Name. I have succeeded in creating a certificate with 500 >> DNS >> entries and it works just fine with no noticeable latency accessing the >> web >> sites listed via the SAN in the certificate. However, I run into a >> problem >> when I create a certificate with more than 500 SAN entries. OpenSSL >> creates >> the certificate and there are no indications of any problems. After >> installing the new certificate, however, I can no longer access any of >> the >> sites where the certificate is installed. > > Can you report the out of: > > $ openssl x509 -in cert.pem -outform DER | wc -c > > for the "small-enough" and "too-big" certificates? The SSL/TLS record > layer has a maximum record size, a certificate probably needs to fit > into one record, so if your 500+ domains generate a certificate that > is larger than ~16K bytes, you may be out of luck. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Subject-Alternative-Name-Help-tp27539914p27555907.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
