Sonus is investigating a problem where the SBC 1k/2k & SWe Lite generate bad multi-SAN CSRs. The issue results in the additional SANs being added to the certificate as a single SAN, comma-separated:
Clearly this is a parsing error in the CSR-generating code, but unfortunately a fix isn’t immediately apparent. Separating the SANs with a space or a comma followed by a space – or even a carriage return – still results in bad certs.
Affected versions
The issue has been confirmed in the 1k/2k on 5.0.0 b395, 5.0.1 b399, 6.0.0 b435, 6.1.2 b471 & 6.1.3 b474. In the SWe Lite it’s present in at least 6.1.1 b91 & 6.1.2 b104.
Work-around
You’re in luck if you only want two SANs on the cert – its hostname and presumably an alias. The “Generate Sonus CSR” code is *automatically* adding the hostname as a SAN, so in the SAN field you only need to enter its alias and you’ll end up with a well-crafted cert with 2 SANs:
If for some reason you want/need more then I think you’re toast. I’ll update the post if I get a work-around from the Sonus TAC. If you have any certs expiring soon, don’t leave it too late to replace them.
Revision History
24th September 2017. This is the initial post.
– G.
Looks like this is fixed in 7.0.0 and above :) Successfully generated a 21-SAN CSR – checked it out with a couple of CSR decoders just to be sure!
Did it duplicate any SANs in your CSR? I’m still having problems with it, as recently as 7.0.2 b485. If I repeat the CN as a SAN (say to appease Chrome), the SBC puts TWO copies of the SAN in the CSR.
I’m wondering if their logic is “if the user adds a SAN to the CSR, then automatically add the CN as another SAN” – but they’re not de-duping it, so you end up with either none, or two of the same. Escalated again…