SSL, Certs & Subject Alternative Name

Report · Sep 19, 2019

Hi all,

My organization is in the process of changing authentication process. Rather than authenticating using data in the "Subject" attribute in the certificate (which I can parse out from cgi.CERT_SUBJECT), they want to authenticate using the "Subject Alternative Name" attribute extension of the certificate. However there is no cgi variable (that I am aware of) that I can get the data from that attribute.

I've been researching this for weeks, but am stuck. Anyone have any ideas?

I apologize if my terminoligy is used incorrectly above...I'm a pretty good programmer, but SSL/Certs is not my strength.

Thank much in advance!

Report · Sep 19, 2019

See https://community.adobe.com/t5/ColdFusion/Reading-Current-SSL-Client-Certificate-Data/td-p/2498615

Report · Oct 20, 2019

Thank you, haxtbh.

Per the link you provided, I was able to output the "Subject Alternative Name" using #x509[1].getSubjectAlternativeNames()#.

However the output is only a partial listing of the "Subject Alternative Name" field. It displays the sub-field "URL" value, but not the "Principal Name" value. And the data that I need to authenticate users is in the "Principal Name" sub-field.

Help?

Report · Nov 19, 2019

Still looking in to this...anyone have an idea?

Maybe I'm looking at this the wrong way. Rather than try to read the certificate as-is, is there a way to configure IIS so that the "Subject Alternative Name" field is fully displayed in a CGI variable?

Help?

Report · Jun 01, 2020

For me i did x509[1].getSubjectAlternativeNames().toArray() to give me an array of values.

In the array, i saw some values were in binary. If converted those binary values to utf-8, I was able to see one of the strings that I wanted but also with some junk prefixed. I assume the junk portion is just how the value gets encoded, i'm not an expert. I'm thinking i'll just do a rematch to extract the string I want for now until i can decode it better. In my case the string is very specific so i don't think i'll run into problems but i'd need to test this further when I have the time.

Report · Feb 06, 2020

I am trying to do the same thing, but with Apache. We have modded the mod_jk file to set CGI variables for many things, but I am searching for how to get the Subject Alternative Name / Principal Name and I'm not finding what the jkEnvVar variable name is to add. Anyone?

V/r,

^ _ ^

Adobe Community

SSL, Certs & Subject Alternative Name