Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8186143

keytool -ext option doesn't accept wildcards for DNS subject alternative names

XMLWordPrintable

    • b15
    • generic
    • generic
    • Verified

        FULL PRODUCT VERSION :
        java version "1.8.0_121"
        Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
        Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

        ADDITIONAL OS VERSION INFORMATION :
        WIndows 10

        A DESCRIPTION OF THE PROBLEM :
        I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.

        I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:

        `keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost

        What is your first and last name?
          [Unknown]: localhost
        What is the name of your organizational unit?
          [Unknown]: My Org
        What is the name of your organization?
          [Unknown]: MyMy
        What is the name of your City or Locality?
          [Unknown]: London
        What is the name of your State or Province?
          [Unknown]:
        What is the two-letter country code for this unit?
          [Unknown]: GB
        Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
          [no]: yes

        keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

        Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Same as in description

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        A Keypair should have been generated with SAN name (DNS with wildcards accepted).
        ACTUAL -
        keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

        REPRODUCIBILITY :
        This bug can be reproduced always.

        CUSTOMER SUBMITTED WORKAROUND :
        Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.

        -ext SAN=DNS:value1,DNS:value2,DNS:value3

              hchao Haimay Chao
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: