-
Bug
-
Resolution: Fixed
-
P2
-
8, 9
-
b15
-
generic
-
generic
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8290494 | 11.0.17-oracle | Prasadarao Koppula | P2 | Closed | Fixed | b03 |
JDK-8290934 | 11.0.17 | Goetz Lindenmaier | P2 | Resolved | Fixed | b01 |
JDK-8290956 | 8u351 | Prasadarao Koppula | P2 | Closed | Fixed | b04 |
FULL PRODUCT VERSION :
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
WIndows 10
A DESCRIPTION OF THE PROBLEM :
I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.
I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:
`keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: My Org
What is the name of your organization?
[Unknown]: MyMy
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
[no]: yes
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Same as in description
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A Keypair should have been generated with SAN name (DNS with wildcards accepted).
ACTUAL -
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.
-ext SAN=DNS:value1,DNS:value2,DNS:value3
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
WIndows 10
A DESCRIPTION OF THE PROBLEM :
I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.
I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:
`keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: My Org
What is the name of your organization?
[Unknown]: MyMy
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
[no]: yes
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Same as in description
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A Keypair should have been generated with SAN name (DNS with wildcards accepted).
ACTUAL -
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.
-ext SAN=DNS:value1,DNS:value2,DNS:value3
- backported by
-
JDK-8290934 keytool -ext option doesn't accept wildcards for DNS subject alternative names
- Resolved
-
JDK-8290494 keytool -ext option doesn't accept wildcards for DNS subject alternative names
- Closed
-
JDK-8290956 keytool -ext option doesn't accept wildcards for DNS subject alternative names
- Closed
- relates to
-
JDK-8054380 DNSName should be verified when parsing an X509Certificate
- Open
(1 links to)