How to handle multiple IPs in CSRParams ip_address field in gnoi cert

[matibens]

Its quite common scenario that you want to cover multiple IPs in one certificate via subjectAltName, do you have any recommendation how to implement this in gnoi cert?
Can we just send comma separated list of IPs in ip_address field and parse it on target?

[samribeiro]

Hi @matibens, the x509 Certificate IPAddresses SAN is clearly a list of IP addresses. Given that the gnoi cert proto states ip_address in singular I would settle that it only supports one IP address and avoid possible ambiguities by stating that it could use comma separated values. Therefore I believe we have a gap here that can be covered with a simple proto agumentation. Infact I think it would be of use to clearly state what are Extensions and what are SANs in the CSR.

[matibens]

Hi @samribeiro, do you mean something like repeated CertificateExtenstion message in CSRParams? CertificateExtenstion could include some oneof with messages for specific extensions.
Or do you have something more sophisticated in mind?

[samribeiro]

For simplicity I would settle with just the SANs:

message CSRParams {

  <...>

  // SANs for x509 certificates.
  repeated string dns_names = 12
  repeated string email_addresses = 13
  repeated string ip_ddresses = 14
  repeated string uris = 15

}

[matibens]

That also works for us, thank you.