Generate certificate with long common_name
240 views
Skip to first unread message
Рома Марусик
May 17, 2019, 6:27:30 PM5/17/19
to Vault
Let's say I'm trying to generate certificate with common_name "123456789012345678901234567890123456789012345678901234567890123e". This name has 64 lenght. I got the error:
{"errors":["idna: invalid label \"123456789012345678901234567890123456789012345678901234567890123e\""]}
When I try only 63 sybmols it works. What is the max lenght of common_name ? 63?? Why 63?
Thank you in advance
Mark Gritter
May 17, 2019, 6:57:23 PM5/17/19
to vault...@googlegroups.com
I believe this restriction comes from the Domain Name System (DNS). A certificate's common_name is treated as a host name, and the error you see comes from the idna library which handles internationalized domain names.
The maximum length of a domain name is 253 bytes, and each label within the domain name can only be 63 bytes. The reason for this limit is the encoding used in DNS, where each label is preceded by a length field in which the upper two bits must be set to zero. (The upper bits are used for compression of domain name suffixes, which may appear multiple times in a DNS query.) The restriction to 253 bytes for the entire domain name comes from the need for an initial length field (1 byte) and a final length field (1 byte, set to zero). The intervening length bytes are represented as periods in the textual representation of a domain name.
So, a common_name that does not include any periods is interpreted as just one DNS label, which may only be 63 bytes long--- this may be fewer characters than 63 if an internationalized domain name is used. The common_name may be up to 253 bytes if you include multiple labels within the name, each label limited to 63 bytes.
best,
Mark
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b7c7ffcd-1446-4187-8a08-982dca82cb3a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Рома Марусик
May 17, 2019, 7:46:05 PM5/17/19
to Vault
Thank you very much for your resposne.
субота, 18 травня 2019 р. 01:57:23 UTC+3 користувач Mark Gritter написав:
субота, 18 травня 2019 р. 01:57:23 UTC+3 користувач Mark Gritter написав:
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages