How many Subject Alternate Name (SAN) attributes, can be included on a self-signed certificate?

How many Subject Alternate Name (SAN) attributes, can be included on a self-signed certificate?

1425
Created On 07/24/25 20:13 PM - Last Modified 07/24/25 20:22 PM


Question


Is there a limited number of SANs (Subject Alternate Name) attributes, that can be added on a self-signed certificate?

Answer


When generating a self-signed certificate from the firewall (or Panorama), only 3 different SAN attributes can be referenced: 

  • Host Name (DNS).
  • IP address.
  • Email address.

Subject Alternative Name (SAN)

 

Each of the 3 SAN attributes listed above, have a limit of 4 entries: 4 Host Names, 4 IP Addresses and 4 Email Addresses.

  • This limitation is hard coded in PAN OS, and if additional "Host Name" SAN attributes are needed, a workaround is to use wildcards. (i.e. *.test.com, as opposed to one.test.com, two.test.com, etc)

Additional Information


GUI, CLI certificate generation:

From the GUI you can add 4 entries for each SAN attribute, and then the SAN attribute option will disappear from the drop down list.

No 5th SAN is possible.

 

From CLI, you will see below error when attempting to the add a 5th entry:

admin@GARYs-VM-300-A> request certificate generate hostname [ one.test.com two.test.com three.test.com four.test.com five.test.com  ] certificate-name testdotcom algorithm RSA rsa-nbits 2048 name test.com 

Server error : At most 4 occurrences are allowed for hostname/member <---
 request -> certificate -> generate -> hostname is invalid

---

admin@GARYs-VM-300-A> request certificate generate ip [ 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 ] certificate-name testdotcom algorithm RSA rsa-nbits 2048 name test.com

Server error : At most 4 occurrences are allowed for ip/member <---
 request -> certificate -> generate -> ip is invalid

---

admin@GARYs-VM-300-A> request certificate generate alt-email [ one@test.com two@test.com three@test.com four@test.com five@test.com  ] certificate-name testdotcom algorithm RSA rsa-nbits 2048 name test.com

Server error : At most 4 occurrences are allowed for alt-email/member <---
 request -> certificate -> generate -> alt-email is invalid

 

 

 

Additional info on the "Subject Alternative Name" (SAN) Field:

 

Besides the "Subject " field, the "Subject Alternative Name (SAN)" is a certificate extension used to associate various additional identifiers within a single certificate. It's extremely flexible and has become the standard for modern certificate validation. So much so, that Google Chrome stopped trusting the "Subject" field for certificate validation starting with Chrome 58, released back in April 2017.

 

  • Host Name (DNS): Allows a certificate to secure multiple domain names. For example, a single certificate can secure www.example.comexample.com, and shop.example.com (note that *.example.com can be used instead, and still match all 3 of the examples given here).

  • IP (IP Address): Allows the certificate to be valid for a specific IP address, and subnets are not allowed.

  • Alt Email (email): An RFC-822 compliant email address. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNebKAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail