自签名证书:DNSName 组件必须以字母开头 [英] Self-signed certificate: DNSName components must begin with a letter

问题描述

有没有办法让 java 的 keytool 在 SAN(主题备用名称)中生成带有通配符的自签名证书?我正在使用此命令生成密钥库:

Is there a way for java's keytool to generate self-signed certificate with a wildcard in SAN (Subject Alternative Name)? I'm using this command to generate keystore:

keytool -genkey -alias tomcat -storetype JKS -keyalg RSA -keysize 2048 -ext san=dns:*.example.com -keystore "path/to/my/keystore.jks" -validity 3650

但我得到 IOException: DNSName 组件必须以字母开头

显然，问题在于 SAN 中的 *.example.com，但我看不到为 example.com 子域生成自签名证书的其他方法.

Obviously, the problem is *.example.com in SAN, but I don't see other way of generating self-signed certificate for example.com subdomains.

根据this，应该是可以的.是我的语法错误，keytool 中的错误，还是我误解了什么?

According to this, it should be possible. Is it error in my syntax, bug in keytool, or I misunderstood something?

顺便说一句，我正在使用来自 JDK 1.8 update 60 的 keytool

BTW, I'm using keytool from JDK 1.8 update 60

EDIT 我设法通过指定 CN=*.example.com 通过 keytool 为所有 example.com 子域生成自签名证书，并将 SAN 留空.尽管如此，我仍会接受 Omikron 的答案(因为这是一个实际的答案，而不是绕过限制).

EDIT I managed to generate self-signed certificate for all example.com subdomains via keytool by specifying CN=*.example.com, and leaving SAN empty. Nonetheless, I'll leave Omikron's answer as accepted (since it's an actual answer and not a bypass of restrictions).

推荐答案

Keytool 在内部使用类 sun.security.x509.DNSName 来检查输入.DNSName 强制执行 RFC 1034 中指定的语法.引用其 Javadoc 评论:

Keytool internally uses the class sun.security.x509.DNSName to check the input. DNSName enforces the syntax specified in RFC 1034. Quote from its Javadoc comment:

名称必须采用首选名称语法"，由 RFC 指定1034.

The name MUST be in the "preferred name syntax," as specified by RFC 1034.

首选名称语法是:

<domain> ::= <subdomain> | " "
<subdomain> ::= <label> | <subdomain> "." <label>
<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case
<digit> ::= any one of the ten digits 0 through 9

所以根据这个语法，域名必须以字母开头(A-Z，a-z).

So according to this syntax, domain names have to begin with a letter (A-Z, a-z).

较新的 RFC(例如 RFC 2181、RFC 1123) 正在放宽这些限制，因此这可以被视为 Java 中的错误.已经有几个相关的错误报告:

Newer RFCs (e.g. RFC 2181, RFC 1123) are relaxing these restrictions, so this can be considered a bug in Java. There are already several related bug reports:

https://bugs.openjdk.java.net/browse/JDK-8016345
https://bugs.openjdk.java.net/browse/JDK-8007706

所以，答案是否定的，目前无法使用 keytool 创建通配符 SAN 扩展.

So, the answer is no, there is currently no way to create a wildcard SAN extension with keytool.

但您可以使用 KeyStore Explorer 来执行此操作.它基本上是带有 GUI 的 keytool，不强制执行这些限制.

But you could use KeyStore Explorer to do this. It is basically keytool with a GUI and does not enforce these restrictions.

更新:这已在 Java 15 中修复:https://bugs.openjdk.java.net/browse/JDK-8186143

UPDATE: This has been fixed in Java 15: https://bugs.openjdk.java.net/browse/JDK-8186143

这篇关于自签名证书:DNSName 组件必须以字母开头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！