How to create CSR with SAN using keytool

Question

I would like to ask if it is possible to create a CSR that contains SAN entries.

I created keystore as

keytool -genkeypair -keyalg RSA -keysize 2048 -alias testAlias -ext SAN=dns:test.example.com -keystore test.jks -storetype JKS -dname "CN=test"

I can verify with keytool that the SAN is in the keystore

 keytool -list -v -keystore test.jks

and relevant part of the output

 #1: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: test.example.com ]

Then I created a CSR using keytool:

 keytool -certreq -file test.csr -keystore test.jks -alias testAlias

but there is no SAN information in the CSR.

How to check:

 keytool -printcertreq -file test.csr -v

it should be something like

 Extension Request: #1: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: test.example.com ]

Did I miss some option for certreq ?

+4

certificate keytool

Betlista Jun 10 '15 at 11:39 on

source share

2 answers

when you create the CSR you need to specify the -ext attribute again

 keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com

+10

MrPatol Apr 26 '17 at 2:56

source share

Betlista · Accepted Answer · 2015-06-23 12:50

It seems like maybe I found the answer - stack overflow site/questions/108718 / ...

I still need to check if it works.