Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Self-signed certificate: DNSName components must begin with a letter

Tags:

java

certificate

self-signed

keytool

wildcard-subdomain

Is there a way for java's keytool to generate self-signed certificate with a wildcard in SAN (Subject Alternative Name)? I'm using this command to generate keystore:

keytool -genkey -alias tomcat -storetype JKS -keyalg RSA -keysize 2048 -ext san=dns:*.example.com -keystore "path/to/my/keystore.jks" -validity 3650

But I get IOException: DNSName components must begin with a letter

Obviously, the problem is *.example.com in SAN, but I don't see other way of generating self-signed certificate for example.com subdomains.

According to this, it should be possible. Is it error in my syntax, bug in keytool, or I misunderstood something?

BTW, I'm using keytool from JDK 1.8 update 60

EDIT I managed to generate self-signed certificate for all example.com subdomains via keytool by specifying CN=*.example.com, and leaving SAN empty. Nonetheless, I'll leave Omikron's answer as accepted (since it's an actual answer and not a bypass of restrictions).

like image 409
zkristic Avatar asked Nov 20 '15 13:11

zkristic

1 Answers

Keytool internally uses the class sun.security.x509.DNSName to check the input. DNSName enforces the syntax specified in RFC 1034. Quote from its Javadoc comment:

The name MUST be in the "preferred name syntax," as specified by RFC 1034.

The preferred name syntax is:

<domain> ::= <subdomain> | " "
<subdomain> ::= <label> | <subdomain> "." <label>
<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case
<digit> ::= any one of the ten digits 0 through 9

So according to this syntax, domain names have to begin with a letter (A-Z, a-z).

Newer RFCs (e.g. RFC 2181, RFC 1123) are relaxing these restrictions, so this can be considered a bug in Java. There are already several related bug reports:

https://bugs.openjdk.java.net/browse/JDK-8016345
https://bugs.openjdk.java.net/browse/JDK-8007706

So, the answer is no, there is currently no way to create a wildcard SAN extension with keytool.

But you could use KeyStore Explorer to do this. It is basically keytool with a GUI and does not enforce these restrictions.

UPDATE: This has been fixed in Java 15: https://bugs.openjdk.java.net/browse/JDK-8186143

like image 122
Omikron Avatar answered Sep 28 '22 11:09

Omikron
Sign in to Comment

Related questions

Should you use AccountManager for storing Usernames and Passwords for an Android app?
How do I obtain a fully resolved Model of a pom file?
Does this mean that Java Math.floor is extremely slow?
How to set environment variables to an application on OSX Mountain Lion?
Eclipse Warning: Unknown Faceted Project
Does Sublime Text 2 win over Eclipse for Java Development [closed]
Is there a way in logback.xml to specify file log destination through classpath:, without absolute path?
Spring Security OAuth2 pure resource server
Extracting Data from pdf417 such as Drivers License
How to add scrollbar to Vaadin layout
Unnecessary boxing inspection reported by IDE
Creating Objects on the stack memory in java ?
Convert timestamp to string
Java 8 Double curly bracket initialization and name collision
Primary shard is not active or isn't assigned is a known node ?
Hibernate SQL In clause making CPU usage to 100%
Intellij Idea hint: Condition is always false - can that be true here? (Java)
Why is my Java heap dump size much smaller than used memory?
How to suppress violations in PMD?
Java, Finding Kth largest value from the array [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!