Login/Register
Self-signed certificate: DNSName components must begin with a letter
Asked Answered
Solved javacertificatekeytoolself-signedwildcard-subdomain
G

1

21

Is there a way for java's keytool to generate self-signed certificate with a wildcard in SAN (Subject Alternative Name)? I'm using this command to generate keystore:

keytool -genkey -alias tomcat -storetype JKS -keyalg RSA -keysize 2048 -ext san=dns:*.example.com -keystore "path/to/my/keystore.jks" -validity 3650

But I get IOException: DNSName components must begin with a letter

Obviously, the problem is *.example.com in SAN, but I don't see other way of generating self-signed certificate for example.com subdomains.

According to this, it should be possible. Is it error in my syntax, bug in keytool, or I misunderstood something?

BTW, I'm using keytool from JDK 1.8 update 60

EDIT I managed to generate self-signed certificate for all example.com subdomains via keytool by specifying CN=*.example.com, and leaving SAN empty. Nonetheless, I'll leave Omikron's answer as accepted (since it's an actual answer and not a bypass of restrictions).

Gnosticize answered 20/11, 2015 at 13:22 Comment(0)
P
29

Keytool internally uses the class sun.security.x509.DNSName to check the input. DNSName enforces the syntax specified in RFC 1034. Quote from its Javadoc comment:

The name MUST be in the "preferred name syntax," as specified by RFC 1034.

The preferred name syntax is:

<domain> ::= <subdomain> | " "
<subdomain> ::= <label> | <subdomain> "." <label>
<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case
<digit> ::= any one of the ten digits 0 through 9

So according to this syntax, domain names have to begin with a letter (A-Z, a-z).

Newer RFCs (e.g. RFC 2181, RFC 1123) are relaxing these restrictions, so this can be considered a bug in Java. There are already several related bug reports:

https://bugs.openjdk.java.net/browse/JDK-8016345
https://bugs.openjdk.java.net/browse/JDK-8007706

So, the answer is no, there is currently no way to create a wildcard SAN extension with keytool.

But you could use KeyStore Explorer to do this. It is basically keytool with a GUI and does not enforce these restrictions.

UPDATE: This has been fixed in Java 15: https://bugs.openjdk.java.net/browse/JDK-8186143

Pallaten answered 21/11, 2015 at 15:9 Comment(5)
Thanks, I'm not a big fan of SF and projects hosted there so I'll try with OpenSSL first... As a last resort I'll use KeyStore Explorer. Your answer is marked as accepted. Again, thank you.Gnosticize
@Gnosticize If you don't like SF, you can download it from GitHub: github.com/kaikramer/keystore-explorer/releasesPallaten
@Pallaten your final openjdk bug link is actually also a link to keystore explorer, I assume it is unintentional and not meant to be misleading.Launcher
Yes, they even showcase fix in a dedicated blog post: blogs.oracle.com/blogbypuneeth/…Hartzke
Still facing such an error when I am trying to generate multi-level subdomain wild certificates, like *.*.example.com; any idea?Bandler

© 2022 - 2024 — McMap. All rights reserved.