自签名证书:DNSName组件必须以字母开头 [英] Self-signed certificate: DNSName components must begin with a letter
问题描述
java的keytool是否有办法在SAN(主题备用名称)中使用通配符生成自签名证书?我正在使用此命令生成密钥库:
Is there a way for java's keytool to generate self-signed certificate with a wildcard in SAN (Subject Alternative Name)? I'm using this command to generate keystore:
keytool -genkey -alias tomcat -storetype JKS -keyalg RSA -keysize 2048 -ext san=dns:*.example.com -keystore "path/to/my/keystore.jks" -validity 3650
但是我得到 IOException:DNSName组件必须以字母开头
显然,问题是SAN中的 *。example.com
,但我没有看到为 example.com生成自签名证书的其他方式
子域名。
Obviously, the problem is *.example.com
in SAN, but I don't see other way of generating self-signed certificate for example.com
subdomains.
根据这个,它应该是可能。我的语法错误,keytool中的错误,或者我误解了什么?
According to this, it should be possible. Is it error in my syntax, bug in keytool, or I misunderstood something?
BTW,我正在使用JDK 1.8更新60的keytool
BTW, I'm using keytool from JDK 1.8 update 60
编辑我设法通过指定<$ c,通过keytool为所有 example.com
子域名生成自签名证书$ c> CN = * .example.com ,并将SAN留空。尽管如此,我将Omikron的答案视为已被接受(因为它是一个真正的答案,而不是绕过限制)。
EDIT I managed to generate self-signed certificate for all example.com
subdomains via keytool by specifying CN=*.example.com
, and leaving SAN empty. Nonetheless, I'll leave Omikron's answer as accepted (since it's an actual answer and not a bypass of restrictions).
推荐答案
Keytool在内部使用类 sun.security.x509.DNSName
来检查输入。 DNSName强制执行 RFC 1034 中指定的语法。引用其Javadoc评论:
Keytool internally uses the class sun.security.x509.DNSName
to check the input. DNSName enforces the syntax specified in RFC 1034. Quote from its Javadoc comment:
名称必须在首选名称语法中,由RFC
1034指定。
The name MUST be in the "preferred name syntax," as specified by RFC 1034.
首选名称语法为:
<domain> ::= <subdomain> | " "
<subdomain> ::= <label> | <subdomain> "." <label>
<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case
<digit> ::= any one of the ten digits 0 through 9
所以根据这种语法,域名有以字母(AZ,az)开头。
So according to this syntax, domain names have to begin with a letter (A-Z, a-z).
较新的RFC(例如 RFC 2181 , RFC 1123 )正在放松这些限制,所以这可以被认为是Java中的一个错误。已经有几个相关的错误报告:
Newer RFCs (e.g. RFC 2181, RFC 1123) are relaxing these restrictions, so this can be considered a bug in Java. There are already several related bug reports:
https://bugs.openjdk.java.net/browse/JDK-8016345
https://bugs.openjdk.java.net/browse/JDK-8007706
所以,答案是的,目前无法使用keytool创建通配符SAN扩展。
So, the answer is no, there is currently no way to create a wildcard SAN extension with keytool.
但是你可以使用 KeyStore Explorer 来做到这一点。它基本上是带有GUI的keytool,并没有强制执行这些限制。
But you could use KeyStore Explorer to do this. It is basically keytool with a GUI and does not enforce these restrictions.
这篇关于自签名证书:DNSName组件必须以字母开头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!