How to add subject alernative name to ssl certs?
SslSsl CertificateX509certificateKeytoolSsl Problem Overview
I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:
> javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: No subject alternative names > present
Does anyone know how to specify "Subject alternative name" while creating a cert?
This is how I'm generating a keystore:
sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd
To generate a key:
openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null
Please help! Thanks!
Ssl Solutions
Solution 1 - Ssl
Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS
entries for a host name and IP
entries for IP addresses).
To quote myself:
> If you're using keytool
, as of Java 7, keytool has an option to
> include a Subject Alternative Name (see the table in the documentation
> for -ext): you could use -ext san=dns:www.example.com or -ext
> san=ip:10.0.0.1
Note that you only need Java 7's keytool
to use this command. Once you've prepared your keystore, it should work with previous versions of Java.
(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)
Solution 2 - Ssl
Both IP and DNS can be specified with the keytool additional argument -ext SAN=dns:abc.com,ip:1.1.1.1
Example:
keytool -genkeypair -keystore <keystore> -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass <keypwd> -storepass <storepass> -keyalg RSA -alias unknown -ext SAN=dns:test.abc.com,ip:1.1.1.1
Solution 3 - Ssl
When generating CSR is possible to specify -ext attribute again to have it inserted in the CSR
keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com
complete example here: https://stackoverflow.com/questions/30755220/how-to-create-csr-with-sans-using-keytool/43637750#43637750