Appendix - Configuring Support for Large or Custom SANs with EJBCA

By default, EJBCA supports a wide variety of SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. types and a total SAN length of 2000 characters. If you need to enroll for certificates through Keyfactor Command against an EJBCA CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. that either use a custom SAN type or have a large number of SANs that will exceed this supported character length, you will need to do some configuration in EJBCA to support this.

In EJBCA, you need to add a custom certificate extension and update the certificate profile you’ll be using for enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). through Keyfactor Command for large or custom SANs.

To add a custom extension to support enrolling with large or custom SANs:

1. In the EJBCA administration portal, browse to System Configuration > System Configuration > Custom Certificate Extensions.

2. On the Custom Certificate Extensions page, create a new custom extension with the following values:

   • OID Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name.: 2.5.29.17

   • Label: A name of your choice. This appears in certificate profiles when configuring custom extensions. For example, Override SAN.

   • Critical: No

   • Required: No

   • Encoding: DEROBJECT

     Click Edit to open the extension for editing in order to change the required value to No and the encoding value to DEROBJECT.

   

   Figure 484: Create a Custom Certificate Extension for Large or Custom SANs

To edit the certificate profile:

1. In the EJBCA administration portal, browse to CA Functions > Certificate Profiles.
2. On the Manage Certificate Profiles page, open the certificate profile you will using for enrollment from Keyfactor Command for editing.

3. On the profile editing page, scroll down to locate the X509v3 extensions: Subject Alternative Name section and the Search enabled setting. Uncheck Search enabled if you wish to support a total SAN length of greater than 2000 characters.

   

   Figure 485: Uncheck Search Enabled for Large SAN Support

4. Scroll down to locate the Other Extensions: Used Custom Certificate Extensions section and select the custom certificate extension you created in the previous step. This is needed both to support enrolling with large SANs and for custom SANs.

   

   Figure 486: Enabled the Override SAN Custom Certificate Extension for Custom SAN Support

5. Save your changes to the certificate profile.