Is there a way for java's keytool to generate self-signed certificate with a wildcard in SAN (Subject Alternative Name)? I'm using this command to generate keystore:
keytool -genkey -alias tomcat -storetype JKS -keyalg RSA -keysize 2048 -ext san=dns:*.example.com -keystore "path/to/my/keystore.jks" -validity 3650
But I get IOException: DNSName components must begin with a letter
Obviously, the problem is *.example.com
in SAN, but I don't see other way of generating self-signed certificate for example.com
subdomains.
According to this, it should be possible. Is it error in my syntax, bug in keytool, or I misunderstood something?
BTW, I'm using keytool from JDK 1.8 update 60
EDIT I managed to generate self-signed certificate for all example.com
subdomains via keytool by specifying CN=*.example.com
, and leaving SAN empty. Nonetheless, I'll leave Omikron's answer as accepted (since it's an actual answer and not a bypass of restrictions).
Keytool internally uses the class sun.security.x509.DNSName
to check the input. DNSName enforces the syntax specified in RFC 1034. Quote from its Javadoc comment:
The name MUST be in the "preferred name syntax," as specified by RFC 1034.
The preferred name syntax is:
<domain> ::= <subdomain> | " "
<subdomain> ::= <label> | <subdomain> "." <label>
<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case
<digit> ::= any one of the ten digits 0 through 9
So according to this syntax, domain names have to begin with a letter (A-Z, a-z).
Newer RFCs (e.g. RFC 2181, RFC 1123) are relaxing these restrictions, so this can be considered a bug in Java. There are already several related bug reports:
https://bugs.openjdk.java.net/browse/JDK-8016345
https://bugs.openjdk.java.net/browse/JDK-8007706
So, the answer is no, there is currently no way to create a wildcard SAN extension with keytool.
But you could use KeyStore Explorer to do this. It is basically keytool with a GUI and does not enforce these restrictions.
UPDATE: This has been fixed in Java 15: https://bugs.openjdk.java.net/browse/JDK-8186143