Search code examples
opensslssl-certificatex509

Do I need to prefix X.509 Subject Alternative Names with a "type"?

When I read RFC-2818 ("HTTP Over TLS"), it says:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

This seems to imply the subjectAltName must be "typed". The Wikipedia article on X.509 gives an example that seems to imply prefixing is needed:

X509v3 Subject Alternative Name: 
                DNS:*.wikipedia.org, DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, ...

However, I don't see any references or other examples of such prefix "typing" and it is not shown in either RFC-2818 or RFC-5280, etc..

Do I need to provide a "DNS" prefix or not? My experimentation indicates it works without it, but that might be my browser being lax (following Postel's law).

EDIT: Following the answer by @bartonjs below, I walked through the source code. I am actually using AWS-CDK, which uses CloudFormation, which indirectly uses AWS Certificate Manager SDK. And according to the documentation, we pass in

Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate.

So behind the scenes, the ACM SDK is assuming these strings are FQDN's and converting them to "type 2" (dNSName) entries.

Solution

  • The Subject Alternative Names extension is a sequence of GeneralName values. GeneralName values aren't just strings, they're typed data (generally a string, and a "for what reason" slot). https://www.rfc-editor.org/rfc/rfc5280#page-38:

    SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
    otherName                       [0]     OtherName,
    rfc822Name                      [1]     IA5String,
    dNSName                         [2]     IA5String,
    x400Address                     [3]     ORAddress,
    directoryName                   [4]     Name,
    ediPartyName                    [5]     EDIPartyName,
    uniformResourceIdentifier       [6]     IA5String,
    iPAddress                       [7]     OCTET STRING,
    registeredID                    [8]     OBJECT IDENTIFIER }

    The "DNS:" prefix is just how OpenSSL formats GeneralName entries of type (2) (dNSName).