Skip to main content

SAN

SAN allows you to define the subject alternative name extensions in the certificate.

Example JSON: Subject alternative names

You can use the JSON template for each type of SAN entry to specify inclusion rules, define automatic inclusion based on the common name, and determining the data sources—including Certificate Signing Requests (CSR), predefined values, or user input. This configuration offers the flexibility needed to meet specific security standards and manage SAN fields effectively during certificate issuance.

The provided JSON examples details how to configure Subject Alternative Names (SAN) for a certificate template, covering various data types such as DNS names, IP addresses, and email addresses.

JSON example using DNS name, IP address, user principal name, email, URI, and registered ID

{
  ...
  "extensions": {
    "san": {
      "critical": false,
      "dns_name": {
        "include": "yes",
        "auto_include_cn": "no",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "ip_address": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "user_principal_name": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "email": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "uri": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "registered_id": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      }
    }
  }
}

JSON example with other name hardware module name

{
  ...
  "extensions": {
    "san": {
      "critical": false,
      "other_name": {
        "required_types": [
          "hardware_module_name"
        ],
        "hardware_module_name": {
          "type": "1.2.240.458.10003.3.12",
          "serial_num": "aabbcc001122"
        },
      }
    }
  }
}

JSON example with other name raw types

{
  ...
  "extensions": {
    "san": {
      "critical": false,
      "other_name": {
        "required_raw_types": [
          "1.2.3.456.7890.1",
          "1.2.3.456.7890.2"
        ],
        "optional_raw_types": [
	  "1.2.3.456.7890.3",
          "1.2.3.456.7890.4"
        ]
      }
    }
  }
}

Parameters: Subject alternative names

Name

Type

Mandatory

Allowed values

san

object

no

JSON object for subject alternative name (SAN) extension details.

.. critical

boolean

no

If true, the SAN extension is critical. If false (default), the SAN extension is not critical.

Allowed values:

  • false: (default) SAN extension critical will be set to false.

  • true: SAN extension critical will be set to true.

.. dns_name

object

no

JSON object for DNS name details.

.. .. include

string

no

Defines if the SAN DNS name should be included in the certificate.

Allowed values:

  • no: (default) SAN DNS name will not be included in certificate.

  • yes: SAN DNS name will be included in certificate.

  • optional: SAN DNS name will be included if provided.

.. .. auto_include_cn

string

no

Defines if the common name is included and where it should be in the list of DNS names.

Allowed values:

  • top: (default) Common name will be added as first element of DNS name list.

  • bottom: Common name will be added as last element of DNS name list.

  • no: Common name will not be added.

.. .. allowed_source

array of strings

yes

Define the allowed source of the SAN DNS value.

Allowed values:

  • fixed_value: (default) Value will be defined in certificate profile, used only when no CSR or request value was provided.

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

.. ip_address

object

no

JSON object containing IP address details.

.. .. include

string

Defines if the IP address is included in the certificate.

Allowed values:

  • no: (default) SAN IP address will not be included in certificate.

  • yes: SAN IP address will be included in certificate.

  • optional: SAN IP address will be included if provided.

.. .. allowed_source

array of strings

Defines allowed sources of the IP address value.

Allowed values:

  • fixed_value: (default) Value will be defined in certificate profile, used only when no CSR or request value was provided.

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

.. user_principal_name

object

no

JSON object for user principle name (UPN) details.

.. .. include

string

no

Define if the SAN UPN should be included in the certificate.

Allowed values:

  • no: (default) SAN UPN will not be included in certificate.

  • yes: SAN UPN will be included in certificate.

  • optional: SAN UPN will be included if provided.

.. .. allowed_source

array of strings

yes

Define the allowed source of the SAN UPN value.

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: (default) Value will be defined in certificate profile, used only when no CSR or request value was provided.

.. email

object

no

JSON object for SAN email details.

.. .. include

string

no

Define if the SAN email should be included in the certificate.

Allowed values:

  • no: (default) SAN email will not be included in certificate

  • yes: SAN email will be included in certificate

  • optional: SAN email will be included if provided

.. .. allowed_source

array of strings

yes

Define the allowed source of the SAN email value.

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: Default value will be defined in certificate profile, used only when no CSR or request value was provided.

.. uri

object

no

JSON object for URI details.

.. .. include

string

no

Defines if the URI will be included.

Allowed values:

  • no (default) SAN URI will not be included in certificate.

  • yes: SAN URI will be included in certificate.

  • optional SAN URI will be included if provided.

.. .. allowed_source

array of strings

yes

Defines the allowed sources for the URI.

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: Default value will be defined in certificate profile, used only when no CSR or request value was provided.

.. registered_id

object

no

JSON object for registered ID details.

.. .. include

string

no

Defines if the registered ID will be included.

Allowed values:

  • yes: SAN registered ID will be included in certificate.

  • optional: SAN registered ID will be included if provided.

  • no: (default) SAN registered ID will not be included in certificate.

.. .. allowed_source

array of strings

yes

Defines the allowed sources for the registered ID.

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: Default value will be defined in certificate profile, used only when no CSR or request value was provided.

.. other_name

object

no

JSON object for other name details.

.. .. required_raw_types

array of strings

conditional

List of required OIDs that must be present in raw input. Required when you need to define raw other name.

.. .. optional_raw_types

array of strings

no

List of optional OIDs that might be present in raw input. Only use when you need to define raw other name.

.. .. required_types

array of strings

conditional

List of OIDs. Should include hardware_module_name.type. Required when you need to define raw other name hardware_module_name.

.. .. hardware_module_name

object

no

JSON object for hardware module name details.

.. .. .. type

string

yes

OID of the hardware module.

.. .. .. serial_num

string

no

Hex encoded binary value of serial number.

In this section: