How to add subject alternative name to ssl certs?

Asked 5/1, 2012 at 15:1 Answered 26/4, 2017 at 14:59

Solved ssl ssl-certificate x509certificate keytool

I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

Does anyone know how to specify "Subject alternative name" while creating a cert? This is how I'm generating a keystore:

sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd

To generate a key:

 openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null

Please help! Thanks!

Lamarlamarck answered 5/1, 2012 at 15:1 Comment(6)

possible duplicate of How are SSL certificate server names resolved/Can I add alternative names using keytool? – Crackerbarrel 5/1, 2012 at 15:13

@ Sapphire: I don't understand your problem. The Subject Alternative Name is NOT a required extension in X.509 certificate.So if you have a certificate without it, there is no problem. So how are you getting this exception? – Question 6/1, 2012 at 19:15

@user384706 Can you please look at this question? Even I'm confused about why it is throwing this error. [#8760456 – Lamarlamarck 6/1, 2012 at 19:17

@Sapphire: Replied in the other thread – Question 6/1, 2012 at 20:4

The accepted answer is in Java. To do this with OpenSSL, here's an answer: security.stackexchange.com/a/91556 – Steffy 12/8, 2016 at 19:24

In response to @Cratylus' comment from early 2012, Chrome now no longer accepts the Common Name and requires the SAN field. (In the short term a config change can revert to the old behavior. That setting will be removed eventually, forcing SAN adoption.) – Magnetometer 21/6, 2017 at 21:6

Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS entries for a host name and IP entries for IP addresses).

To quote myself:

If you're using keytool, as of Java 7, keytool has an option to include a Subject Alternative Name (see the table in the documentation for -ext): you could use -ext san=dns:www.example.com or -ext san=ip:10.0.0.1

Note that you only need Java 7's keytool to use this command. Once you've prepared your keystore, it should work with previous versions of Java.

(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)

Crackerbarrel answered 5/1, 2012 at 15:8 Comment(6)

I can't change to Java7. Is there a way to bypass the subjectalternativename check in my Java code? – Lamarlamarck 5/1, 2012 at 16:4

Don't avoid this check. As I said, you only need Java 7 to use this keytool command. Once it's done, you should be able to use the JKS file with your Java 6 (or lower) installation (it doesn't even have to be on the same machine). Alternatively, you could use OpenSSL to generate this (self-signed) certificate (the commands and settings might be a bit more complex): you could turn your PEM key/cert generated with OpenSSL into a .p12 file and use it directly from Java as a keystore using keystore type PKCS12. You could also use a hostname instead of an IP addr: you'd get away with the CN. – Crackerbarrel 5/1, 2012 at 16:16

I used a hostname instead like you suggested and I got this: No name matching myhostname.com found. – Lamarlamarck 5/1, 2012 at 16:36

Well, you need to use a host name that's configured to match that IP address (in DNS or hosts file). If you're not familiar with those concepts, it sounds like installing Java 7 somewhere might be the easiest solution for you. – Crackerbarrel 5/1, 2012 at 18:14

I updated the /etc/hosts file with "myip myhostname" and used myhostname in the certificate. – Lamarlamarck 5/1, 2012 at 21:57

with most keytool commands accepting an extension (genkeypair, gencert, and gencertreq) it is unclear to me how the propagation happens. my assumption is that this is an ever increasing list that gets chained? but i also realise that using the ext in genkeypair for the purposes of creating a signing request won't include the subject alternative names – Cestode 23/2, 2021 at 12:37

Both IP and DNS can be specified with the keytool additional argument -ext SAN=dns:abc.com,ip:1.1.1.1

Example:

keytool -genkeypair -keystore <keystore> -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass <keypwd> -storepass <storepass> -keyalg RSA -alias unknown -ext SAN=dns:test.abc.com,ip:1.1.1.1

Manmade answered 27/3, 2013 at 8:41 Comment(3)

Beware that the above command does not create a CSR. Java's keytool creates a keypair in the form of a self-signed certificate in the key store, and the SAN attribute goes into that self-signed certificate. If you want to issue a CSR with a SAN attribute, you need to pass the same -ext argument to 'keytool -certreq'. Funny thing is that the self-documenting help of keytool does not include the -ext option, although keytool does process -ext just fine. – Essa 8/12, 2016 at 10:3

@Essa this means that I may add altNames in the CSR even if these are not used invoking -genkeypair. What would happen when receiving a certificate from the CA with this CSR? Woule keytool import it and link to the correct private key? Is this a possibile way to add altName to certificates that missed it? – Ancipital 21/4, 2017 at 7:47

Thanks for adding a full example – Dartboard 31/1, 2018 at 16:26

When generating CSR is possible to specify -ext attribute again to have it inserted in the CSR

keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com

complete example here: How to create CSR with SANs using keytool

Antinode answered 26/4, 2017 at 14:59 Comment(0)

Recommended topics

Hot tags