There is no specific limit on the number of names that can be included in the SAN extension of a certificate issued by a Windows Certificate Authority (CA). The total size, however, of any encoded extension is limited to 4KB, because that is the maximum size of the database field as defined in the CA database schema definition.
C:\>certutil -schema Ext Schema: Column Name Localized Name Type MaxLength ---------------------------- ---------------------------- ------ --------- ExtensionRequestId Extension Request ID Long 4 -- Indexed ExtensionName Extension Name String 254 ExtensionFlags Extension Flags Long 4 ExtensionRawValue Extension Raw Value Binary 4096 CertUtil: -schema command completed successfully.
For example, 151 25-character DNS name entries, plus the overhead for encoding (~2 bytes per name), comes in at 4,081 bytes, just under the 4KB limit. From an implementation standpoint, many certificate authorities limit the number of SAN domains to as low as 25 entries to as high as 100. Related Resources Active Directory Certificate Services (AD CS) Frequently Asked Questions (FAQ) (http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-frequently-asked-questions-faq.aspx)
Brian Duffy - edited Revision 2. Comment: added guidance re: CA limits on number of SAN domains.
Kurt L Hudson edited Original. Comment: Added a link to the AD CS FAQ as it is related to this information
Is it possible to increase the MaxLength on ExtensionRawValue?
Sincerly Yours
Tom Aafloen
@Tom: No, it is not. What scenario do you have in mind that would necessitate more than 150 DNS names in the SAN?