2

According to RFC 2818 (section 3.1) RFC 2459 - It seems to be allowed to have a list of DNS name entries as part of SAN names and cover multiple domains:

SubjectAlternativeName [
  DNSName: localhost
  DNSName: *.i.mydomain.net
  DNSName: *.mydomain.net
]

Using Java keytool application - it doesn't seem to allow SAN entries to have wildcards in DNS names. Does anyone know whether I can use some tricks(!) to do this?

ha9u63a7
  • 6,233
  • 16
  • 73
  • 108

1 Answers1

4

I've run into this problem in the past and worked around it by using OpenSSL to generate CSRs and only using keytool when I have to (importing & exporting certificates and keys).

EDIT: here's tl;dr of what I did

Have a req.cfg file that looks something like this:

[req]
req_extensions = v3_req
[v3_req]
subjectAltName = @san
[san]
DNS.1 = *.mydomain.com
DNS.2 = mydomain.com

Then run this: 

$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.cfg

Now that you have your certificate signing request and private key, you can send your CSR to a CA or use OpenSSL to self-sign a certificate using the keypair.csr you just generated. However you do this, let's assume you get a cert that we'll call mycert.crt

You're pretty much done now but the tricky part is that you now need to convert your cert-key pair into a PKCS12 keystore before you attempting to import into your JKS keystore.

openssl pkcs12 -export -name mycertname -in mycert.crt -inkey keypair.key -out keystore.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias mycertname
Michael Wu
  • 1,177
  • 1
  • 13
  • 34
  • I wish someone didn't say that :( but yes I came across this too. My problem is that my servers will only use these keys to exhange messages between themselves, so nothing from outside. Did you have to actually generate the CA for this too? – ha9u63a7 Aug 08 '17 at 17:38
  • No I didn't need to actually generate the CA but you can certainly do that with OpenSSL too. – Michael Wu Aug 08 '17 at 17:40
  • thanks - would you mind sharing your steps? I wanted to understand whether you simply converted the keys generated by openssl or exported them – ha9u63a7 Aug 08 '17 at 17:57
  • I've updated my answer to walk you through how to do this – Michael Wu Aug 08 '17 at 18:13
  • 1
    By any chance, do you know why it always complains "Unable to find distinguished_name in the config" - I am on windows the but the generation process shouldn't really rely on OS. I have added `distinguished_name` token but it seems it's still complaining. – ha9u63a7 Aug 08 '17 at 20:56
  • Perhaps this answer might help you? https://superuser.com/a/1118045/212669 – Michael Wu Aug 08 '17 at 20:57