PKI FAQ: What is the maximum number of names that can be included in the SAN extension?

There is no specific limit on the number of names that can be included in the SAN extension of a certificate issued by a Windows Certificate Authority (CA). The total size, however, of any encoded extension is limited to 4KB, because that is the maximum size of the database field as defined in the CA database schema definition.

C:\certutil -schema Ext
Schema:
  Column Name                   Localized Name                Type    MaxLength
  ----------------------------  ----------------------------  ------  ---------
  ExtensionRequestId            Extension Request ID          Long    4 -- Indexed
  ExtensionName                 Extension Name                String  254
  ExtensionFlags                Extension Flags               Long    4
**  ExtensionRawValue             Extension Raw Value           Binary  4096**
CertUtil: -schema command completed successfully.

For example, 151 25-character DNS name entries, plus the overhead for encoding (~2 bytes per name), comes in at 4,081 bytes, just under the 4KB limit.

From an implementation standpoint, many certificate authorities limit the number of SAN domains to as low as 25 entries to as high as 100.

Related Resources
Active Directory Certificate Services (AD CS) Frequently Asked Questions (FAQ) (http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-frequently-asked-questions-faq.aspx)