3

Using the keytool included with JDK 7, I am creating a keystore including a certificate with a SAN extension. If decode the certificate, I see the SAN extension. If I then use keytool to export a CSR, the SAN information is missing from the CSR.

What gives?

Update: I've learned that if I want to include a SAN in the CSR I need to explicitly indicate the SAN in the command lie so:

keytool -certreq -alias mycertificate -keystore mekeystore.jks -ext san=dns:mydomain.com

That said, I've punted on using the SAN as signing the CSR with my OpenSSL CA is needlessly complicated.

HolySamosa
  • 9,011
  • 14
  • 69
  • 102
  • Can you provide the list of command you typed? It is possible to include an extensionRequest attribute in the CSR (for instance an extensionRequest attribute containing the SAN extension) but I'm not sure that keytool supports this feature. – Jcs Jan 21 '14 at 21:08

1 Answers1

4

It is normal that SAN is not included when exporting a CSR. In generating a CSR, you only need to provide one common name or domain name.

Refer to this link: https://support.globalsign.com/customer/portal/articles/1229769-certificate-signing-request-csr---overview

SAN or Subject Alternative Name are being added during the ordering process of the certificate from a Certificate Authority. SANs are being added on the certificate and not on the CSR.

John Eli
  • 261
  • 1
  • 4
  • 1
    SAN on the certificate is being installed like a single domain name certificate. As long as the SAN is included on the certificate, it will be secured on the server. – John Eli Jan 21 '14 at 22:02
  • Can you explain more why this is 'normal'? If I have no FQDN and specify no CN, but only an IP with SAN, that should get included in the CSR. – Matt Hughes Jul 09 '14 at 15:25