Java Keytool是否允许SAN值具有通配的DNS名称 [英] Does Java Keytool allow SAN values to have wildcarded DNS names

查看:596
本文介绍了Java Keytool是否允许SAN值具有通配的DNS名称的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

根据RFC 2818(第3.1节)RFC 2459-似乎允许将DNS名称条目列表作为SAN名称的一部分,并覆盖多个域:

According to RFC 2818 (section 3.1) RFC 2459 - It seems to be allowed to have a list of DNS name entries as part of SAN names and cover multiple domains:

SubjectAlternativeName [
  DNSName: localhost
  DNSName: *.i.mydomain.net
  DNSName: *.mydomain.net
]

使用Java keytool应用程序-它似乎不允许SAN条目在DNS名称中使用通配符.有谁知道我是否可以使用一些技巧(!)来做到这一点?

Using Java keytool application - it doesn't seem to allow SAN entries to have wildcards in DNS names. Does anyone know whether I can use some tricks(!) to do this?

推荐答案

我过去曾遇到过此问题,并通过使用OpenSSL生成CSR并仅在需要时仅使用keytool(导入和导出;证书和密钥).

I've run into this problem in the past and worked around it by using OpenSSL to generate CSRs and only using keytool when I have to (importing & exporting certificates and keys).

这是我所做的事情

具有一个如下所示的req.cfg文件:

Have a req.cfg file that looks something like this:

[req]
req_extensions = v3_req
[v3_req]
subjectAltName = @san
[san]
DNS.1 = *.mydomain.com
DNS.2 = mydomain.com

然后运行:

$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.cfg

现在有了证书签名请求和私钥,您可以将CSR发送到CA或使用OpenSSL使用刚刚生成的keypair.csr对证书进行自签名.但是,如果您这样做,则假设您获得一个称为mycert.crt

Now that you have your certificate signing request and private key, you can send your CSR to a CA or use OpenSSL to self-sign a certificate using the keypair.csr you just generated. However you do this, let's assume you get a cert that we'll call mycert.crt

您现在已经完成了很多工作,但棘手的是,您现在需要先将证书密钥对转换为PKCS12密钥库,然后再尝试将其导入JKS密钥库.

You're pretty much done now but the tricky part is that you now need to convert your cert-key pair into a PKCS12 keystore before you attempting to import into your JKS keystore.

openssl pkcs12 -export -name mycertname -in mycert.crt -inkey keypair.key -out keystore.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias mycertname

这篇关于Java Keytool是否允许SAN值具有通配的DNS名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆