Java Keytool stripping away SAN on CSR generation
Question
Using the keytool included with JDK 7, I am creating a keystore including a certificate with a SAN extension. If decode the certificate, I see the SAN extension. If I then use keytool to export a CSR, the SAN information is missing from the CSR.
What gives?
Update : I've learned that if I want to include a SAN in the CSR I need to explicitly indicate the SAN in the command lie so:
keytool -certreq -alias mycertificate -keystore mekeystore.jks -ext san=dns:mydomain.com
That said, I've punted on using the SAN as signing the CSR with my OpenSSL CA is needlessly complicated.
1 answers
solution1
4 ACCPTED 2014-01-21 21:59:00
It is normal that SAN is not included when exporting a CSR. In generating a CSR, you only need to provide one common name or domain name.
Refer to this link: https://support.globalsign.com/customer/portal/articles/1229769-certificate-signing-request-csr---overview
SAN or Subject Alternative Name are being added during the ordering process of the certificate from a Certificate Authority. SANs are being added on the certificate and not on the CSR.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.