Summary

Add support for Subject Alternative Names for certificates.

Review Request #14909 — Created March 17, 2026 and updated March 17, 2026, 2:05 p.m.

Information

Owner

chipx86

Repository

Review Board

Branch

release-7.1.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

Callers can use this to validate the contents of a cert against other
hostnames. Note that certificates will not be indexed by these names,
just the primary hostname associated with the Certificate object
(which will usually be the host that was accessed that served the
certificate). For the time being, that makes this more useful as a way
to take an existing certificate and compare it prior to indexing under
the primary hostname.

Testing Done

Unit tests passed.

Commits

Summary	ID
Add support for Subject Alternative Names for certificates. SSL/TLS certificates have an optional extension listing alternative names or IP addresses that the certificate may represent. This change implements access to these through a new `subject_alternative_names` property, which returns a list of string values for all DNS and IP addresses listed in the cert. Callers can use this to validate the contents of a cert against other hostnames. Note that certificates will not be indexed by these names, just the primary hostname associated with the `Certificate` object (which will usually be the host that was accessed that served the certificate). For the time being, that makes this more useful as a way to take an existing certificate and compare it prior to indexing under the primary hostname.	6626d2fe1f294b8ad986a7683ee1d43ec891c743

Summary

Add support for Subject Alternative Names for certificates.

SSL/TLS certificates have an optional extension listing alternative names or IP addresses that the certificate may represent. This change implements access to these through a new `subject_alternative_names` property, which returns a list of string values for all DNS and IP addresses listed in the cert. Callers can use this to validate the contents of a cert against other hostnames. Note that certificates will not be indexed by these names, just the primary hostname associated with the `Certificate` object (which will usually be the host that was accessed that served the certificate). For the time being, that makes this more useful as a way to take an existing certificate and compare it prior to indexing under the primary hostname.

6626d2fe1f294b8ad986a7683ee1d43ec891c743

Issues

Description	From	Last Updated
Based on the implementation, this is returning all GeneralName entries, which could include more than just DNS and IP addresses. …	david	March 17, 2026, 2:05 p.m.
This should be broadened to at least say something like "SAN values", since it's including IP addresses (and potentially other …	david	March 17, 2026, 2:05 p.m.
This was copy/pasted from another test, and needs to be updated.	david	March 17, 2026, 2:05 p.m.

flake8 passed.

JSHint passed.

Fix it!

reviewboard/certs/cert.py (Diff revision 1)

An issue was opened. Show all issues

Based on the implementation, this is returning all GeneralName entries, which could include more than just DNS and IP addresses. We should either explicitly get values for only x509.DNSName/x509.IPAddress types, or change the docstring here to mention that this can also include things like e-mail addresses, URIs, directory names, etc.

reviewboard/certs/cert.py (Diff revision 1)

An issue was opened. Show all issues

This should be broadened to at least say something like "SAN values", since it's including IP addresses (and potentially other things depending on your decision above).

reviewboard/certs/tests/test_certificate.py (Diff revision 1)
An issue was opened. Show all issues
```
This was copy/pasted from another test, and needs to be updated.
```