19

I'd like to ask whether it is possible to create CSR that contains SAN records.

I created keystore as

keytool -genkeypair -keyalg RSA -keysize 2048 -alias testAlias -ext SAN=dns:test.example.com -keystore test.jks -storetype JKS -dname "CN=test"

I can check using keytool, that SAN is in keystore

keytool -list -v -keystore test.jks

and relevnt part of the output is

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: test.example.com
]

Then I created CSR using keytool:

keytool -certreq -file test.csr -keystore test.jks -alias testAlias

but in CSR there is information about SAN missing.

How to check:

keytool -printcertreq -file test.csr -v

correctly there should be something similar to

Extension Request:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: test.example.com
]

Did I miss some option for certreq ?

Betlista
  • 10,327
  • 13
  • 69
  • 110

1 Answers1

35

when You generate CSR you need to specify -ext attribute again

keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com
MrPatol
  • 905
  • 9
  • 8
  • 14
    using multiple DNS and even IP is also possible e.g: -ext "san=dns:test.example.com,dns:test.example.net,dns:test2.example.com,ip:XX.XXX.XX.XXX" Creating CSR file had worked for me... just need to get my certificate to make sure things are working – Chasky Apr 22 '18 at 18:41
  • 1
    Also note, the response to the CSR can overwrite stuff for you, too, so that the CSR signer can put SANs in there, and manage other attributes of the certificate. – Frischling Feb 27 '21 at 13:56