14

I'm having an issue generating a keypair with subject alternate name using the Java keytool utility from Java 1.7. I'm attempting to follow the instructions found here.

An example of the command I'm using follows (this example has been tested):

keytool -keystore c:\temp\keystore.jks -storepass changeme -keypass changeme -alias spam -genkeypair -keysize 2048 -keyalg RSA -dname "CN=spam.example.com, OU=Spam NA, O=Spam Inc, L=Anywhere, S=State, C=US" -ext san=dns:spam,ip:192.168.0.1

I then generate the CSR using the following command:

keytool -keystore c:\temp\keystore.jks -storepass changeme -alias spam -certreq -file c:\temp\spam.csr

Which generates the following certificate request:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC5TCCAc0CAQAwcDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVN0YXRlMREwDwYDVQQHEwhBbnl3
aGVyZTERMA8GA1UEChMIU3BhbSBJbmMxEDAOBgNVBAsTB1NwYW0gTkExGTAXBgNVBAMTEHNwYW0u
ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCExCFepag4KH+j8xgR
BjI58hOEiFuSrkgbL5/1steru3+FwDb98R8XO90kKreq/Qt7s/oHbTpFOwotdkGVxA2x44/R5OYr
Qdfk3v32ypJTxms/8tu0Zi9wbH2ruA/h5AhtZ9TV/xLPFSe5eFvN0pUl90p+9zfd0ZCmPQ69k3Lb
JWlw7eIs7sD1yRqlYZL+HJWrsdtYTHjpqEURcZ5jN0H2YeM/eBWZr7eMKrT4xGRwotFj9AfHCiUj
HH4XTJgkrbBtw96pkPYMj/C7TfUE/slCxafEBIkVKlkHLBb9ra3PVfW/QoDGsf2FjtNKOKFxyy7p
A3A5ufdvrCVZ5EKWGrbbAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBS1GytnaPx2
SAZCyto2BKh7Yw7bgTANBgkqhkiG9w0BAQsFAAOCAQEAIiwY6RIIJkgUQsdK2XiLJDhBnoxfsKjQ
zkWdZjETNxdD9LSng4AZroKjl05NRdjVkew5QM/gNt8s4jcI8OE0EOaZz6ZmlHK39bPtifJ9xlhy
0Q2Q5VAZ6mUB3BU4QF17MLmtEuI+FsG+S7ZKTK+j1Mcn8E+XvS5EbA0NJJkiIhfikr7nUEgB+qUU
CW0vM53FhVPO/piphNUuE60lMlomnDnCHW9xevAolb3rVCvqTdZ2q3G6BNFG07YEL/jaKKIctrnN
W6W4aGb6ppdXXExkx6EIj7hleoSxZHDVjxiIb3U16WFObtwCpTe9ygHcZtZswRkTzwJZLHipCkcQ
GY3lwA==
-----END NEW CERTIFICATE REQUEST-----

When I examine the CSR using the CSR Decoder at SSL Shopper, it does not show that it includes the specified SAN. This cert is for internal use in our environment, and the SAN is required because users may be accessing the site using FQDN, server name only, or IP address.

I'm continuing to troubleshoot, but I'm not that experienced with certs, so I'm at a loss, and most other folks in our environment aren't using keytool to generate their certs.

Thoughts? Alternatives? I am certainly willing to use a different method to generate the key & CSR, as long as I can import it into a Java keystore at some point.

Deacon
  • 243
  • 1
  • 3
  • 9
  • *"CN=spam.example.com"* - placing a DNS name in the CN is deprecated by both the IETF and the CA/Browser Forums. Instead, put a friendly name in the CN like "Spam Inc". Put all DNS names in the SAN. –  Aug 09 '14 at 07:33

1 Answers1

15

You need to pass the -ext flag to the second command as well:

$ keytool -keystore keystore.jks -storepass changeme -alias spam -certreq -ext san=dns:spam,ip:192.168.0.1 -file spam.csr

Then the certificate contains the alt name:

$ openssl x509 -noout -text -in spam.csr | grep -A2 "Requested Extensions"
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:spam, IP Address:192.168.0.1
cyc115
  • 143
  • 6
dawud
  • 14,918
  • 3
  • 41
  • 61
  • 1
    Thank you. I was just logging in to post that I had figured that out overnight (with a little help from someone local). Wish I understood the **why** of it, because the `keytool` docs don't seem to say (to me at least) that it's require. But at least it's an answer I can live with and I know I'm not totally going out of my mind. Thanks. – Deacon Jun 18 '14 at 14:11