Skip to main content

SAN

SAN では、証明書のサブジェクトの別名拡張子を定義することができます。

JSON の例:サブジェクトの別名

You can use the JSON template for each type of SAN entry to specify inclusion rules, define automatic inclusion based on the common name, and determining the data sources—including Certificate Signing Requests (CSR), predefined values, or user input. This configuration offers the flexibility needed to meet specific security standards and manage SAN fields effectively during certificate issuance.

The provided JSON examples details how to configure Subject Alternative Names (SAN) for a certificate template, covering various data types such as DNS names, IP addresses, and email addresses.

JSON example using DNS name, IP address, user principal name, email, URI, and registered ID

{
  ...
  "extensions": {
    "san": {
      "critical": false,
      "dns_name": {
        "include": "yes",
        "auto_include_cn": "no",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "ip_address": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "user_principal_name": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "email": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "uri": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      },
      "registered_id": {
        "include": "yes",
        "allowed_source": [
          "csr",
          "fixed_value",
          "user_supplied"
        ]
      }
    }
  }
}

JSON example with other name hardware module name

{
  ...
  "extensions": {
    "san": {
      "critical": false,
      "other_name": {
        "required_types": [
          "hardware_module_name"
        ],
        "hardware_module_name": {
          "type": "1.2.240.458.10003.3.12",
          "serial_num": "aabbcc001122"
        },
      }
    }
  }
}

JSON example with other name raw types

{
  ...
  "extensions": {
    "san": {
      "critical": false,
      "other_name": {
        "required_raw_types": [
          "1.2.3.456.7890.1",
          "1.2.3.456.7890.2"
        ],
        "optional_raw_types": [
	  "1.2.3.456.7890.3",
          "1.2.3.456.7890.4"
        ]
      }
    }
  }
}

パラメータ:サブジェクトの別名

Name

Type

Mandatory

Allowed values

san

object

no

サブジェクトの別名 (SAN) の拡張詳細

.. critical

boolean

no

true の場合、SAN拡張は重要です。false の場合、SAN拡張は重要ではありません。

Allowed values:

  • false: (default) SAN extension critical will be set to false.

  • true: SAN extension critical will be set to true.

.. dns_name

object

no

DNS名詳細

.. .. include

string

no

SAN DNS 名を証明書に含める必要があるかを定義します。

Allowed values:

  • no: (default) SAN DNS name will not be included in certificate.

  • yes: SAN DNS name will be included in certificate.

  • optional: SAN DNS name will be included if provided.

.. .. auto_include_cn

string

no

コモンネームが含まれるか、また DNS 名のリストのどこに含まれるべきかを定義します。

Allowed values:

  • top: (default) Common name will be added as first element of DNS name list.

  • bottom: Common name will be added as last element of DNS name list.

  • no: Common name will not be added.

.. .. allowed_source

array of strings

yes

SAN DNS 値の許容されるソースを定義します。

Allowed values:

  • fixed_value: (default) Value will be defined in certificate profile, used only when no CSR or request value was provided.

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

.. ip_address

object

no

JSON object containing IP address details.

.. .. include

string

Defines if the IP address is included in the certificate.

Allowed values:

  • no: (default) SAN IP address will not be included in certificate.

  • yes: SAN IP address will be included in certificate.

  • optional: SAN IP address will be included if provided.

.. .. allowed_source

array of strings

Defines allowed sources of the IP address value.

Allowed values:

  • fixed_value: (default) Value will be defined in certificate profile, used only when no CSR or request value was provided.

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

.. user_principal_name

object

no

ユーザープリンシパル名 (UPN)

.. .. include

string

no

SAN UPN 名を証明書に含める必要があるかを定義します。

Allowed values:

  • no: (default) SAN UPN will not be included in certificate.

  • yes: SAN UPN will be included in certificate.

  • optional: SAN UPN will be included if provided.

.. .. allowed_source

array of strings

yes

SAN UPN 値の許容されるソースを定義します。

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: (default) Value will be defined in certificate profile, used only when no CSR or request value was provided.

.. email

object

no

SAN Eメール詳細

.. .. include

string

no

SAN Eメールを証明書に含める必要があるかを定義します。

Allowed values:

  • no: (default) SAN email will not be included in certificate

  • yes: SAN email will be included in certificate

  • optional: SAN email will be included if provided

.. .. allowed_source

array of strings

yes

SAN Eメール値の許容されるソースを定義します。

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: Default value will be defined in certificate profile, used only when no CSR or request value was provided.

.. uri

object

no

JSON object for URI details.

.. .. include

string

no

Defines if the URI will be included.

Allowed values:

  • no (default) SAN URI will not be included in certificate.

  • yes: SAN URI will be included in certificate.

  • optional SAN URI will be included if provided.

.. .. allowed_source

array of strings

yes

Defines the allowed sources for the URI.

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: Default value will be defined in certificate profile, used only when no CSR or request value was provided.

.. registered_id

object

no

JSON object for registered ID details.

.. .. include

string

no

Defines if the registered ID will be included.

Allowed values:

  • yes: SAN registered ID will be included in certificate.

  • optional: SAN registered ID will be included if provided.

  • no: (default) SAN registered ID will not be included in certificate.

.. .. allowed_source

array of strings

yes

Defines the allowed sources for the registered ID.

Allowed values:

  • csr: Value will be sourced from CSR.

  • user_supplied: Value can be provided in request.

  • fixed_value: Default value will be defined in certificate profile, used only when no CSR or request value was provided.

.. other_name

object

no

その他名前の詳細

.. .. required_raw_types

array of strings

conditional

List of required OIDs that must be present in raw input. Required when you need to define raw other name.

.. .. optional_raw_types

array of strings

no

List of optional OIDs that might be present in raw input. Only use when you need to define raw other name.

.. .. required_types

array of strings

conditional

List of OIDs. Should include hardware_module_name.type. Required when you need to define raw other name hardware_module_name.

.. .. hardware_module_name

object

no

JSON object for hardware module name details.

.. .. .. type

string

yes

OID of the hardware module.

.. .. .. serial_num

string

no

Hex encoded binary value of serial number.

このセクションの内容: