Follow

How to: How to disallow SAN types

Applies to:

16.1 to 18.2

NOTE: 18.3 and above moved this setting to Aperture: 

https://support.venafi.com/hc/en-us/articles/360015721211-Info-What-s-New-in-Venafi-Trust-Protection-Platform-18-3

https://docs.venafi.com/Docs/current/TopNav/Content/Policies/r-certificate-policy-configuring-Aperture-tpp.php 

Summary:

16.1 introduced the ability to disallow SAN types by policy

Options are:

Disallow SAN: DNS

Disallow SAN: Email

Disallow SAN: IPAddress

Disallow SAN: OtherName UPN

Disallow SAN: URI

 

**To enable the following functionality you will need to contact support to request that the support tab be unlocked, this will be achieved via a challenge respond code**

To enable this functionality go to policy level that you would like to apply to, go to the support tab, select the Policy Attributes tab and add attribute.

Now select X509 Certificate and then select the SAN type you would like to disallow and enter a "1" in the Value box.

More Information:

If a certificate is renewed which violates policy settings for the allowable SAN types it will go into error with an appropriate error.

E.G. Certificate will not be processed because there is a subject alternative name (IP address) in use. This folder prohibits subject alternative name (IP address).

If they saw this error and they needed an exception made they would likely need to unlock the policy setting for Disallow SAN: IPAddress so that it’s only a suggested setting and then on their immediate policy where they need to allow an exception they would need to override the policy setting with Disallow SAN: IPAddress = 0.  Then hit retry on their cert.

Was this article helpful?
0 out of 0 found this helpful

Comments