Java Keytool是否允许SAN值具有通配的DNS名称 [英] Does Java Keytool allow SAN values to have wildcarded DNS names
问题描述
根据RFC 2818(第3.1节)RFC 2459-似乎允许将DNS名称条目列表作为SAN名称的一部分,并覆盖多个域:
According to RFC 2818 (section 3.1) RFC 2459 - It seems to be allowed to have a list of DNS name entries as part of SAN names and cover multiple domains:
SubjectAlternativeName [
DNSName: localhost
DNSName: *.i.mydomain.net
DNSName: *.mydomain.net
]
使用Java keytool
应用程序-它似乎不允许SAN条目在DNS名称中使用通配符.有谁知道我是否可以使用一些技巧(!)来做到这一点?
Using Java keytool
application - it doesn't seem to allow SAN entries to have wildcards in DNS names. Does anyone know whether I can use some tricks(!) to do this?
推荐答案
我过去曾遇到过此问题,并通过使用OpenSSL生成CSR并仅在需要时仅使用keytool(导入和导出;证书和密钥).
I've run into this problem in the past and worked around it by using OpenSSL to generate CSRs and only using keytool when I have to (importing & exporting certificates and keys).
这是我所做的事情
具有一个如下所示的req.cfg
文件:
Have a req.cfg
file that looks something like this:
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = @san
[san]
DNS.1 = *.mydomain.com
DNS.2 = mydomain.com
然后运行:
$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.cfg
现在有了证书签名请求和私钥,您可以将CSR发送到CA或使用OpenSSL使用刚刚生成的keypair.csr
对证书进行自签名.但是,如果您这样做,则假设您获得一个称为mycert.crt
Now that you have your certificate signing request and private key, you can send your CSR to a CA or use OpenSSL to self-sign a certificate using the keypair.csr
you just generated. However you do this, let's assume you get a cert that we'll call mycert.crt
您现在已经完成了很多工作,但棘手的是,您现在需要先将证书密钥对转换为PKCS12密钥库,然后再尝试将其导入JKS密钥库.
You're pretty much done now but the tricky part is that you now need to convert your cert-key pair into a PKCS12 keystore before you attempting to import into your JKS keystore.
openssl pkcs12 -export -name mycertname -in mycert.crt -inkey keypair.key -out keystore.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias mycertname
这篇关于Java Keytool是否允许SAN值具有通配的DNS名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!