Hi Godwin, Yes, SANS is a part of the public certificate and it's not bound to the public key or the private key (key-pair). So we can consider that as metadata of the certificate.
*keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks -keysize 2048 -ext SAN=dns:xyz.com <http://xyz.com>,dns:abc.com <http://abc.com>,dns:hello.com <http://hello.com>* When we generate the key-pair using above command, the default public certificate generated contains the SANs defined. You can use [1] to decode the content below and check that. -----BEGIN CERTIFICATE----- MIIDcTCCAlmgAwIBAgIEQ5oSYzANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJp czELMAkGA1UECBMCaXMxCzAJBgNVBAcTAmlzMQswCQYDVQQKEwJpczELMAkGA1UE CxMCaXMxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xODA2MTIwMjIzNTRaFw0xODA5 MTAwMjIzNTRaMFUxCzAJBgNVBAYTAmlzMQswCQYDVQQIEwJpczELMAkGA1UEBxMC aXMxCzAJBgNVBAoTAmlzMQswCQYDVQQLEwJpczESMBAGA1UEAxMJbG9jYWxob3N0 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hQKOBFRu+Q+KrLcPhpt CQprKcqMwCjtMh7fPvzYwUQLl0D+XLorQqx7dlPhU7g22jHpy+v/vfRwTHMh6VyH ZLzN0riX8xt89mnDFqA+VPE5NYY3y5nzHvXd3kwTA8gm1HcPnYaMnLQTlM9MG/1a iIfUH25p7K0v5UYLqIySJn8TOwumETS0r2C+8ISM8lyFrq++/Ppc4rKNAHD2On3g 0aVnYO1FQaSkcq2LsJ38m4AHrI8+bKrLH3K27EHIy1O1CRw6Trv/pq9ZngP+rP65 WhK/s7J0cJ8JkM6SKdFGJitLP2/VNaN1+YTk/cJ8eCBoD3yCZU/lrsUDrh26ZagA bQIDAQABo0kwRzAmBgNVHREEHzAdggd4eXouY29tggdhYmMuY29tggloZWxsby5j b20wHQYDVR0OBBYEFMBlwLLkuEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUA A4IBAQAFwZi+7DafcwWYpUHhiQCOMtcoS0hAJ3l57U7FwgoYk5KdG2+tJD0v9agk p2PrTHnHgNhXhQDDJkuV03Wa6FPf48HSY1AuJZhaf5jFJmnocjMdyabEsgPaXw30 FA05hZ4Y3PLRbTQLyiDGhuWmzZ5LuRFpF5cFt9ODPQWOfVuG/st/3nQFsFERXSZu Td69d7shs2cyyG013R65C0ZDynNVjKDR9LKz4cV01lmA7KqETqdcZaJppX+tJ54U fksGhNrXm/1VNSwi7wSKZnPC387chHUFSJVhaRz0oHrtJjWoYKXMiBRIXgbA1WAk JjV0MYJGx68sIwEO6R1ZGhM1o5eu -----END CERTIFICATE----- However, if I create a CSR, in the CSR file, the SAN information is not included. Therefore it seems we need to include the required SANs at the time of creating the CSR. Example is below. *keytool -certreq -file wso2carbon.csr -keystore wso2carbon.jks -alias wso2carbon -ext SAN=dns:test.example.com <http://test.example.com>* Then in the generated CSR, we can see the SAN information is included. You can decode the following using [2] and check it. -----BEGIN NEW CERTIFICATE REQUEST----- MIIC5zCCAc8CAQAwVTELMAkGA1UEBhMCaXMxCzAJBgNVBAgTAmlzMQswCQYDVQQHEwJpczELMAkG A1UEChMCaXMxCzAJBgNVBAsTAmlzMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDeFAo4EVG75D4qstw+Gm0JCmspyozAKO0yHt8+/NjBRAuXQP5cuitC rHt2U+FTuDbaMenL6/+99HBMcyHpXIdkvM3SuJfzG3z2acMWoD5U8Tk1hjfLmfMe9d3eTBMDyCbU dw+dhoyctBOUz0wb/VqIh9QfbmnsrS/lRguojJImfxM7C6YRNLSvYL7whIzyXIWur778+lziso0A cPY6feDRpWdg7UVBpKRyrYuwnfybgAesjz5sqssfcrbsQcjLU7UJHDpOu/+mr1meA/6s/rlaEr+z snRwnwmQzpIp0UYmK0s/b9U1o3X5hOT9wnx4IGgPfIJlT+WuxQOuHbplqABtAgMBAAGgTTBLBgkq hkiG9w0BCQ4xPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhhbXBsZS5jb20wHQYDVR0OBBYEFMBlwLLk uEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUAA4IBAQB0pex3/TTMjMoQml6ljkm4Z1tKdQlA 9sbaIDmB2nafOMJ2O4RRCR8RK3FpFUP523XkhvtRq2SspVtq/R6KHXUsJeEHF5ynqMUjd66nuQpP lVMqXeufh6zC4VJWb1vBSYvaYF1HFO0y7qr9VoD77ywaAX3sZX1WRU/f/Z9VkfeNHCZDcGcURGb2 NljnAkgrduZcol10GJ4lJhMiCwfYy5Yk57P3FhnXyeVRJo42vmUSbHGQm7g2JxzIzsgw3M2H+B60 p5gRS/i38lxy9owwyI368efocIyDoOpD823rm/I53lB0ivLDn018ZLbYEtzRkC7iVHII90XTj/8j ML6XCITq -----END NEW CERTIFICATE REQUEST----- So, we can override the already included SANs when generating the CSR. Also it seems it's a must to include the required extensions at the time we generate the CSR. Otherwise there's no way to communicate the required extensions to the CA. Also, when generating the CSR, we need to include other extensions like Key Usage (for encryption purposes).... like data encipherment/key enciherment properties... *keytool -certreq -alias <KeyAlias value> -file <output_file_name.csr> -keystore <JKS file name> -ext KeyUsage:critical="keyCertSign,digitalSignature,keyEncipherment,dataEncipherment" -storepass <keystore password>* [1] https://www.sslshopper.com/certificate-decoder.html [2] https://www.sslshopper.com/csr-decoder.html Regards, TharinduE On Mon, Jun 11, 2018 at 1:31 AM Godwin Amila Shrimal <[email protected]> wrote: > Hi, > > I have a clarifications related to $subject. When we create the keystore > we can give the SAN as below. > > keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks > -keysize 2048 -ext SAN=dns:xyz.com,dns:abc.com,dns:hello.com > > I have following two questions > 1. AFAIK SANs is a meta data of public certificate. Is it correct ? > 2. When we create the CSR do we have to give SANs again or is it remain > what we given while creating keystore? > 3. Can we override and give different SANs while creating CSR ? I have > seen [1] we need to give SANs while creating CSR > > I am bit confused on this. Can you give your feedback on this ? > > [1] > https://support.microsoft.com/en-gb/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate > > Thanks > Godwin > -- > *Godwin Amila Shrimal* > Associate Technical Lead > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: *+94772264165* > linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ > <https://www.linkedin.com/in/godwin-amila-2ba26844/>* > twitter: https://twitter.com/godwinamila > <http://wso2.com/signature> > -- Tharindu Edirisinghe Associate Technical Lead | WSO2 Inc Platform Security Team Blog : http://tharindue.blogspot.com mobile : +94 775181586
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
