How to use bouncycastle in java to generate a CSR with a subject alternative name

Question

After a bunch of searching around, I came up with the following:

        PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
            new X500Principal("CN=clustername"), publicKey);
        

        ASN1Encodable[] subjectAlternativeNames2 = new ASN1Encodable[] {
                new GeneralName(GeneralName.rfc822Name, "clusteruid"),
                new GeneralName(GeneralName.dNSName, "127.0.0.1")
        };
        DERSequence subjectAlternativeNamesExtension = new DERSequence(subjectAlternativeNames2);
        p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, subjectAlternativeNamesExtension);//.addExtension(Extension.subjectAlternativeName, false, subjectAlternativeNames);
        JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("MD5WithRSA");
        ContentSigner signer = csBuilder.build(privateKey);
        PKCS10CertificationRequest thecsr = p10Builder.build(signer);

        out = new FileOutputStream(outFile + "x.csr");
        out.write("-----BEGIN CERTIFICATE REQUEST-----\n".getBytes());
        out.write(Base64.getEncoder().encodeToString(thecsr.getEncoded()).getBytes());
        out.write("\n-----END CERTIFICATE REQUEST-----\n".getBytes());
        out.close();

The above "seems" to work, and generates a file /tmp/licensingx.csr as expected.included

Ive been using openssl to verify. When I use:

openssl req -in /tmp/licensingx.csr -text -noout

I was expecting to see something like the following included as part of the output:

Requested Extensions: X509v3 Subject Alternative Name: EMAIL:clusterid, DNS:127.0.0.1

in fact, the requested extensions section is missing. Can anyone suggest something? We are already using the cluster name as the CN in the subject.

If you are looking to generate CSR and Download Certificate from web application, please refer https://stackoverflow.com/a/68556286/9659885 — Bharat Vasant, Oct 08 '21 at 05:58

score 0 · Answer 1 · answered Sep 03 '21 at 13:52

after more searching I found I was missing a layer of wrapping. Result:

    PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
        new X500Principal("CN=clustername"), publicKey);
    

    ASN1Encodable[] subjectAlternativeNames2 = new ASN1Encodable[] {
            new GeneralName(GeneralName.rfc822Name, "clusteruid"),
            new GeneralName(GeneralName.dNSName, "127.0.0.1")
    };
    DERSequence subjectAlternativeNamesExtension = new DERSequence(subjectAlternativeNames2);
        
    ExtensionsGenerator extGen = new ExtensionsGenerator();
    extGen.addExtension(Extension.subjectAlternativeName, true,subjectAlternativeNamesExtension);
        
    
    p10Builder.addAttribute( PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
    JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("MD5WithRSA");
    ContentSigner signer = csBuilder.build(privateKey);
    PKCS10CertificationRequest thecsr = p10Builder.build(signer);

    out = new FileOutputStream(outFile + "x.csr");
    out.write("-----BEGIN CERTIFICATE REQUEST-----\n".getBytes());
    out.write(Base64.getEncoder().encodeToString(thecsr.getEncoded()).getBytes());
    out.write("\n-----END CERTIFICATE REQUEST-----\n".getBytes());
    out.close();

How to use bouncycastle in java to generate a CSR with a subject alternative name

1 Answers1