none
Certificate "Subject Alternative Name" Field

    Question

  • How do I access the "Subject Alternative Name" field of a client certificate on the APIM frontend?

    I can't seem to access this using the "context.Request.Certificate", Extensions collection (context.Request.Certificate.Extensions).

    This is my code but when I try and save this in the APIM Policy window I get the following error.

    Error in element 'set-header' on line 69, column 10: Usage of type 'System.Security.Cryptography.AsnEncodedData' is not supported within expressions

    The code works fine if I run it within vscode (and replace "context.Request.Certificate" with my own certificate object containing the same certificate file).

    Any help appreciated.

    ##### CODE Below ####
                    var certSAN = "";
                    foreach (X509Extension certExtension in context.Request.Certificate.Extensions)
                    {
                        AsnEncodedData asndata = new AsnEncodedData(certExtension.Oid, certExtension.RawData);
                        if (asndata.Oid.Value.Equals("2.5.29.17"))
                        {
                            certSAN = asndata.Format(true);
                        }
                    }
                    return certSAN;


    • Edited by TheR00nster Wednesday, December 5, 2018 8:27 PM
    Wednesday, December 5, 2018 4:18 PM

All replies

  • There is a list of .NET types that are allowed in policy expressions mentioned here.

    Unfortunately, System.Security.Cryptography.AsnEncodedData isn't on the list, hence the error that you see.

    There is a request for adding .NET X509 support in policy expressions on UserVoice which is under review.
    You could vote for it and also comment your exact use case there.

    Thursday, December 6, 2018 6:27 PM
    Moderator
  • Hi TheR00nster any updates on this?
    Thursday, December 13, 2018 4:37 AM
    Moderator