Does Java Keytool allow SAN values to have wildcarded DNS names

我是研究僧i 提交于 2021-02-08 03:42:03

问题


According to RFC 2818 (section 3.1) RFC 2459 - It seems to be allowed to have a list of DNS name entries as part of SAN names and cover multiple domains:

SubjectAlternativeName [
  DNSName: localhost
  DNSName: *.i.mydomain.net
  DNSName: *.mydomain.net
]

Using Java keytool application - it doesn't seem to allow SAN entries to have wildcards in DNS names. Does anyone know whether I can use some tricks(!) to do this?


回答1:


I've run into this problem in the past and worked around it by using OpenSSL to generate CSRs and only using keytool when I have to (importing & exporting certificates and keys).

EDIT: here's tl;dr of what I did

Have a req.cfg file that looks something like this:

[req]
req_extensions = v3_req
[v3_req]
subjectAltName = @san
[san]
DNS.1 = *.mydomain.com
DNS.2 = mydomain.com

Then run this:

$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.cfg

Now that you have your certificate signing request and private key, you can send your CSR to a CA or use OpenSSL to self-sign a certificate using the keypair.csr you just generated. However you do this, let's assume you get a cert that we'll call mycert.crt

You're pretty much done now but the tricky part is that you now need to convert your cert-key pair into a PKCS12 keystore before you attempting to import into your JKS keystore.

openssl pkcs12 -export -name mycertname -in mycert.crt -inkey keypair.key -out keystore.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias mycertname


来源:https://stackoverflow.com/questions/45574633/does-java-keytool-allow-san-values-to-have-wildcarded-dns-names

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!