Discuss this help topic in SecureBlackbox Forum
Description
This extension is used to associate Internet style identities with the certificate issuer/subject.
The following paragraph is taken from RFC 2459 (Housley, et. al.), part 4.2.1.7:
«When the subjectAltName extension contains an Internet mail address,
the address MUST be included as an rfc822Name. The format of an
rfc822Name is an "addr-spec" as defined in RFC 822 [RFC 822]. An
addr-spec has the form "local-part@domain". Note that an addr-spec
has no phrase (such as a common name) before it, has no comment (text
surrounded in parentheses) after it, and is not surrounded by "<" and
">". Note that while upper and lower case letters are allowed in an
RFC 822 addr-spec, no significance is attached to the case.
When the subjectAltName extension contains a iPAddress, the address
MUST be stored in the octet string in "network byte order," as
specified in RFC 791 [RFC 791]. The least significant bit (LSB) of
each octet is the LSB of the corresponding byte in the network
address. For IP Version 4, as specified in RFC 791, the octet string
MUST contain exactly four octets. For IP Version 6, as specified in
RFC 1883, the octet string MUST contain exactly sixteen octets [RFC
1883].
When the subjectAltName extension contains a domain name service
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax," as specified by RFC
1034 [RFC 1034]. Note that while upper and lower case letters are
allowed in domain names, no signifigance is attached to the case. In
addition, while the string " " is a legal domain name, subjectAltName
extensions with a dNSName " " are not permitted. Finally, the use of
the DNS representation for Internet mail addresses (wpolk.nist.gov
instead of wpolk@nist.gov) is not permitted; such identities are to
be encoded as rfc822Name.
When the subjectAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier... The name MUST
be a non-relative URL, and MUST follow the URL syntax and encoding
rules specified in [RFC 1738]. The name must include both a scheme
(e.g., "http" or "ftp") and a scheme-specific-part. The scheme-
specific-part must include a fully qualified domain name or IP
address as the host.
As specified in [RFC 1738], the scheme name is not case-sensitive
(e.g., "http" is equivalent to "HTTP"). The host part is also not
case-sensitive, but other components of the scheme-specific-part may
be case-sensitive. When comparing URIs, conforming implementations
MUST compare the scheme and host without regard to case, but assume
the remainder of the scheme-specific-part is case sensitive.
Finally, the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification. Applications with specific
requirements may use such names but shall define the semantics.
»
Inherited from TElCustomExtension .NET: