Sonus is investigating a problem where the SBC 1k/2k & SWe Lite generate bad multi-SAN CSRs. The issue results in the additional SANs being added to the certificate as a single SAN, comma-separated:
Clearly this is a parsing error in the CSR-generating code, but unfortunately a fix isn’t immediately apparent. Separating the SANs with a space or a comma followed by a space – or even a carriage return – still results in bad certs.
Affected versions
The issue has been confirmed in the 1k/2k on 5.0.0 b395, 5.0.1 b399, 6.0.0 b435, 6.1.2 b471 & 6.1.3 b474. In the SWe Lite it’s present in at least 6.1.1 b91 & 6.1.2 b104.
Work-around
You’re in luck if you only want two SANs on the cert – its hostname and presumably an alias. The “Generate Sonus CSR” code is *automatically* adding the hostname as a SAN, so in the SAN field you only need to enter its alias and you’ll end up with a well-crafted cert with 2 SANs:
If for some reason you want/need more then I think you’re toast. I’ll update the post if I get a work-around from the Sonus TAC. If you have any certs expiring soon, don’t leave it too late to replace them.
Revision History
24th September 2017. This is the initial post.
– G.
Looks like this is fixed in 7.0.0 and above :) Successfully generated a 21-SAN CSR – checked it out with a couple of CSR decoders just to be sure!
Did it duplicate any SANs in your CSR? I’m still having problems with it, as recently as 7.0.2 b485. If I repeat the CN as a SAN (say to appease Chrome), the SBC puts TWO copies of the SAN in the CSR.
I’m wondering if their logic is “if the user adds a SAN to the CSR, then automatically add the CN as another SAN” – but they’re not de-duping it, so you end up with either none, or two of the same. Escalated again…
How lovely. Just fell into this hole with SBC 1k and firmware 12.0.0. Leave SAN field blank, no SAN. Add CN as the SAN, as required by MS TEAMS SBC support, get a duplicated SAN name.
*sigh*.
I tried, Mick.