Adding an SAN to an SSL cert (in Java)

Question

I want to create a self-signed cert with the SAN field (subject alternative name) set but the Java keytool tool does not seem to support that. What is my best option? This is for Java use, so the keystore must still match the JKS format even if a non-Java tool is used to create the cert.

score 10 · Answer 1 · edited Oct 06 '17 at 20:58

10

You can do this by adding the SAN function to the command when creating the CSR:

Create the Keystore:

keytool -genkey -alias SANTEST -keyalg RSA -keystore SANTEST.jks -keysize 2048

Issue the CSR:

keytool -certreq -alias SANtest01 -keystore SANTEST.jks -ext san=dns:san.yourdomain.com -keysize 204

http://download.java.net/jdk8/docs/technotes/tools/solaris/keytool.html

edited Oct 06 '17 at 20:58

Gary

13,303
18
49
71

answered May 31 '13 at 21:49

user2438793

101
1
2

score 2 · Answer 2 · answered May 15 '11 at 13:10

2

You can do this only with the JDK7 or later version of keytool. OpenJDK 7 has it.

answered May 15 '11 at 13:10

President James K. Polk

40,516
21
95
125

score 1 · Answer 3 · answered Feb 06 '13 at 22:11

You can use http://Ssltools.com/manager to create the San cert and export it and then import it into the keystore.

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1

score 1 · Answer 4 · answered May 15 '11 at 13:13

1

It sounds like getting the more recent keytool might be easiest, but you could also create the certificate with alternate name set using openssl and then import that into keytool.

answered May 15 '11 at 13:13

Rup

33,765
9
83
112

Good point, and there are probably many examples of how to do it with openssl out there on the google. – President James K. Polk May 15 '11 at 16:19
openssl uses a different format, if I am not mistaken, so you have the extra hassle of conversion. Maybe not a big deal once you know what's what and how to but figuring out this security stuff is a real drag. – olefevre May 16 '11 at 04:42
Thanks - if you didn't use my suggestion, though, you should probably accept your own answer not mine! – Rup May 16 '11 at 08:40

score 1 · Accepted Answer · answered May 16 '11 at 04:45

1

The JDK7 suggestion is a good one. In the meantime I was able to do it using the Bouncy Castle library. It was educational to do it programmatically instead of with keytool and getting the stores in jks format was straightforward.

answered May 16 '11 at 04:45

olefevre

4,097
3
23
24

Adding an SAN to an SSL cert (in Java)

5 Answers5

Linked