问题
According to RFC 2818 (section 3.1) RFC 2459 - It seems to be allowed to have a list of DNS name entries as part of SAN names and cover multiple domains:
SubjectAlternativeName [
DNSName: localhost
DNSName: *.i.mydomain.net
DNSName: *.mydomain.net
]
Using Java keytool application - it doesn't seem to allow SAN entries to have wildcards in DNS names. Does anyone know whether I can use some tricks(!) to do this?
回答1:
I've run into this problem in the past and worked around it by using OpenSSL to generate CSRs and only using keytool when I have to (importing & exporting certificates and keys).
EDIT: here's tl;dr of what I did
Have a req.cfg file that looks something like this:
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = @san
[san]
DNS.1 = *.mydomain.com
DNS.2 = mydomain.com
Then run this:
$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.cfg
Now that you have your certificate signing request and private key, you can send your CSR to a CA or use OpenSSL to self-sign a certificate using the keypair.csr you just generated. However you do this, let's assume you get a cert that we'll call mycert.crt
You're pretty much done now but the tricky part is that you now need to convert your cert-key pair into a PKCS12 keystore before you attempting to import into your JKS keystore.
openssl pkcs12 -export -name mycertname -in mycert.crt -inkey keypair.key -out keystore.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias mycertname
来源:https://stackoverflow.com/questions/45574633/does-java-keytool-allow-san-values-to-have-wildcarded-dns-names