自签名证书：DNSName组件必须以字母开头 [英] Self-signed certificate: DNSName components must begin with a letter

问题描述

java的keytool是否有办法在SAN（主题备用名称）中使用通配符生成自签名证书？我正在使用此命令生成密钥库：

Is there a way for java's keytool to generate self-signed certificate with a wildcard in SAN (Subject Alternative Name)? I'm using this command to generate keystore:

keytool -genkey -alias tomcat -storetype JKS -keyalg RSA -keysize 2048 -ext san=dns:*.example.com -keystore "path/to/my/keystore.jks" -validity 3650

但是我得到 IOException：DNSName组件必须以字母开头

显然，问题是SAN中的 *。example.com ，但我没有看到为 example.com生成自签名证书的其他方式子域名。

Obviously, the problem is *.example.com in SAN, but I don't see other way of generating self-signed certificate for example.com subdomains.

根据这个，它应该是可能。我的语法错误，keytool中的错误，或者我误解了什么？

According to this, it should be possible. Is it error in my syntax, bug in keytool, or I misunderstood something?

BTW，我正在使用JDK 1.8更新60的keytool

BTW, I'm using keytool from JDK 1.8 update 60

编辑我设法通过指定<$ c，通过keytool为所有 example.com 子域名生成自签名证书$ c> CN = * .example.com ，并将SAN留空。尽管如此，我将Omikron的答案视为已被接受（因为它是一个真正的答案，而不是绕过限制）。

EDIT I managed to generate self-signed certificate for all example.com subdomains via keytool by specifying CN=*.example.com, and leaving SAN empty. Nonetheless, I'll leave Omikron's answer as accepted (since it's an actual answer and not a bypass of restrictions).

推荐答案

Keytool在内部使用类 sun.security.x509.DNSName 来检查输入。 DNSName强制执行 RFC 1034 中指定的语法。引用其Javadoc评论：

Keytool internally uses the class sun.security.x509.DNSName to check the input. DNSName enforces the syntax specified in RFC 1034. Quote from its Javadoc comment:

名称必须在首选名称语法中，由RFC
1034指定。

The name MUST be in the "preferred name syntax," as specified by RFC 1034.

首选名称语法为：

<domain> ::= <subdomain> | " "
<subdomain> ::= <label> | <subdomain> "." <label>
<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case
<digit> ::= any one of the ten digits 0 through 9

所以根据这种语法，域名有以字母（AZ，az）开头。

So according to this syntax, domain names have to begin with a letter (A-Z, a-z).

较新的RFC（例如 RFC 2181 ， RFC 1123 ）正在放松这些限制，所以这可以被认为是Java中的一个错误。已经有几个相关的错误报告：

Newer RFCs (e.g. RFC 2181, RFC 1123) are relaxing these restrictions, so this can be considered a bug in Java. There are already several related bug reports:

https://bugs.openjdk.java.net/browse/JDK-8016345

https://bugs.openjdk.java.net/browse/JDK-8007706

所以，答案是的，目前无法使用keytool创建通配符SAN扩展。

So, the answer is no, there is currently no way to create a wildcard SAN extension with keytool.

但是你可以使用 KeyStore Explorer 来做到这一点。它基本上是带有GUI的keytool，并没有强制执行这些限制。

But you could use KeyStore Explorer to do this. It is basically keytool with a GUI and does not enforce these restrictions.

这篇关于自签名证书：DNSName组件必须以字母开头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！