Table of Contents
How to add multiple domains(subject alt names) into certificate and a keystore(.jks) file
Introduction
In this article, we will see how to add multiple domains also known as the Subject alt name in the JKS file. If you are getting SSL handshake exception and your application is complaining about
1 2 3 | ****javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present |
then basically it means that your JKS file is missing the required domain on which you are trying to access the application.
Using Open SSL and the key tool to add multiple domains
- Copy the openssl.cnf into a current directory123456789#For MAC use below commandcp /etc/ssl/openssl.cnf .#For RHELinux(Centos7)cp /etc/pki/tls/openssl.cnf .#For Windows you will need to install openssl and then find out where the corresponding file is and use the below defined Method -2
- Now append the ‘[ subject_alt_name ]’ to end of openssl.cnf file123echo '[ subject_alt_name ]' >> openssl.cnf
- Now add multiple domain names, in the below example I am adding multiple domains, along with localhost123echo 'subjectAltName = DNS:example.mydomain1.com, DNS:example.mydomain2.com, DNS:example.mydomain3.com, DNS: localhost'>> openssl.cnf
- Create the .public and private key, also note here we are adding the CN name and organisation details. The advantage of adding it in particular command is that you won’t be prompted with any details123openssl req -x509 -nodes -newkey rsa:2048 -config openssl.cnf -extensions subject_alt_name -keyout private.key -out self-signed.pem -subj '/C=gb/ST=edinburgh/L=edinburgh/O=mygroup/OU=servicing/CN=www.example.com/emailAddress=postmaster@example.com' -days 365
The above command should generate a set of public and private keys. The private key will be generated in a file called private.key and the public key or certificate will be generated in a file called self-signed.pem.Also please note that above command also defines the country, state, location, organization name for simplification only XX has been added and the validity for above certificate is for a year which is controlled by ‘-days 365’. Feel free to change as per your needs. - Verify the .pem file has been generated successfully123openssl x509 -in self-signed.pem -text -noout
From the above command, you should see the multiple domain names which have been added. This verifies that our1234567891011121314151617Certificate:Subject: C=gb, ST=edinburgh, L=edinburgh, O=mygroup, OU=servicing, CN=www.example.com/emailAddress=postmaster@example.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:45:17:ea:d5:87:30:17:e1:50:4a:c7:67:9b:5f:35:c3:0b:0e:f2:83:32:19.......Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Alternative Name:DNS:example.mydomain1.com, DNS:example.mydomain2.com, DNS:example.mydomain3.com, DNS:localhostSignature Algorithm: sha256WithRSAEncryption8c:7d:85:5e:37:d2:e7:09:f5:3e:ce:73:d4:d5:3e:5a:ee:e2: - Export the public key (.pem) file to PKS12 format. This will prompt you for password123openssl pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in self-signed.pem -inkey private.key -name myalias -out keystore.p12
- Create a.JKS from self-signed PEM (Keystore)123keytool -importkeystore -destkeystore keystore.jks -deststoretype PKCS12 -srcstoretype PKCS12 -srckeystore keystore.p12
The above-generated.jks file can you use within your Java application. - Verify is the JKS has been correctly created123keytool -list -v -keystore keystore.jks
This should show you the multiple subject alt names added1234567891011121314Signature algorithm name: SHA256withRSASubject Public Key Algorithm: 2048-bit RSA keyVersion: 3Extensions:SubjectAlternativeName [DNSName: example.mydomain1.comDNSName: example.mydomain2.comDNSName: example.mydomain3.comDNSName: localhost]
- Generate a Certificate from above Keystore or JKS file123keytool -export -keystore keystore.jks -alias myalias -file selfsigned.crt
- Since the above certificate is Self Signed and is not validated by CA, it needs to be added in Truststore(Cacerts file in below location)123sudo keytool -importcert -file selfsigned.crt -alias myalias -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacertsTip – Keystore Explorer is a nice tool to verify the trust store, examine certificates etc
- Copy the openssl.cnf into a current directory