How to add subject alernative name to ssl certs?

49
votes

I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present


Does anyone know how to specify "Subject alternative name" while creating a cert? This is how I'm generating a keystore:

sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd

To generate a key:

 openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null

Please help! Thanks!

3
sslssl-certificatex509certificatekeytool
possible duplicate of How are SSL certificate server names resolved/Can I add alternative names using keytool?Bruno
@ Sapphire: I don't understand your problem. The Subject Alternative Name is NOT a required extension in X.509 certificate.So if you have a certificate without it, there is no problem. So how are you getting this exception?Cratylus
@user384706 Can you please look at this question? Even I'm confused about why it is throwing this error. [stackoverflow.com/questions/8759956/…Sapphire
@Sapphire: Replied in the other threadCratylus
The accepted answer is in Java. To do this with OpenSSL, here's an answer: security.stackexchange.com/a/91556tresf

3 Answers

72
votes

Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS entries for a host name and IP entries for IP addresses).

To quote myself:

If you're using keytool, as of Java 7, keytool has an option to include a Subject Alternative Name (see the table in the documentation for -ext): you could use -ext san=dns:www.example.com or -ext san=ip:10.0.0.1

Note that you only need Java 7's keytool to use this command. Once you've prepared your keystore, it should work with previous versions of Java.

(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)

33
votes

Both IP and DNS can be specified with the keytool additional argument -ext SAN=dns:abc.com,ip:1.1.1.1

Example:

keytool -genkeypair -keystore <keystore> -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass <keypwd> -storepass <storepass> -keyalg RSA -alias unknown -ext SAN=dns:test.abc.com,ip:1.1.1.1
8
votes

When generating CSR is possible to specify -ext attribute again to have it inserted in the CSR

keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com

complete example here: How to create CSR with SANs using keytool