A certificate's subject field is allowed to be empty if it has a subjectAlternativeName extension. keytool currently cannot generate a cert request or a cert without the subject field. The reason is that the subject field is determined at the -gekeypair time and never changed at -certreq or -gencert. Since the cert generated at -genkeypair is self-signed and a self-signed cert must have the subject field, we have no chance to specify the empty subject now.