Menu
I'd like to ask whether it is possible to create CSR that contains SAN records.
I created keystore as
keytool -genkeypair -keyalg RSA -keysize 2048 -alias testAlias -ext SAN=dns:test.example.com -keystore test.jks -storetype JKS -dname "CN=test"
I can check using keytool, that SAN is in keystore
keytool -list -v -keystore test.jks
and relevnt part of the output is
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: test.example.com
]
Then I created CSR using keytool:
keytool -certreq -file test.csr -keystore test.jks -alias testAlias
but in CSR there is information about SAN missing.
How to check:
keytool -printcertreq -file test.csr -v
correctly there should be something similar to
Extension Request:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: test.example.com
]
Did I miss some option for certreq ?
933
A safer option for adding SAN information to an already-signed CSR is to use an enrollment agent (EA) certificate to re-sign the original request. You can then specify the correct SAN information, and re-sign the original request with the EA certificate.
when You generate CSR you need to specify -ext attribute again
keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
