Hi Tharindu,

Thanks a lot for your detail explanation. This sorted all the doubt i had.
As an summary

1. SANs is a metadata of the certificate
2. We MUST give SANs while creating CSR (SANS we are giving while creating
keystore is not using if we are signing from CA)
3. We MUST give other extensions like Key Usage as well while creating the
CSR

Thanks
Godwin

On Tue, Jun 12, 2018 at 4:26 AM Tharindu Edirisinghe <tharin...@wso2.com>
wrote:

> Hi Godwin,
>
> Yes, SANS is a part of the public certificate and it's not bound to the
> public key or the private key (key-pair). So we can consider that as
> metadata of the certificate.
>
> *keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
> -keysize 2048 -ext SAN=dns:xyz.com <http://xyz.com>,dns:abc.com
> <http://abc.com>,dns:hello.com <http://hello.com>*
>
> When we generate the key-pair using above command, the default public
> certificate generated contains the SANs defined. You can use [1] to decode
> the content below and check that.
>
> -----BEGIN CERTIFICATE-----
> MIIDcTCCAlmgAwIBAgIEQ5oSYzANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJp
> czELMAkGA1UECBMCaXMxCzAJBgNVBAcTAmlzMQswCQYDVQQKEwJpczELMAkGA1UE
> CxMCaXMxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xODA2MTIwMjIzNTRaFw0xODA5
> MTAwMjIzNTRaMFUxCzAJBgNVBAYTAmlzMQswCQYDVQQIEwJpczELMAkGA1UEBxMC
> aXMxCzAJBgNVBAoTAmlzMQswCQYDVQQLEwJpczESMBAGA1UEAxMJbG9jYWxob3N0
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hQKOBFRu+Q+KrLcPhpt
> CQprKcqMwCjtMh7fPvzYwUQLl0D+XLorQqx7dlPhU7g22jHpy+v/vfRwTHMh6VyH
> ZLzN0riX8xt89mnDFqA+VPE5NYY3y5nzHvXd3kwTA8gm1HcPnYaMnLQTlM9MG/1a
> iIfUH25p7K0v5UYLqIySJn8TOwumETS0r2C+8ISM8lyFrq++/Ppc4rKNAHD2On3g
> 0aVnYO1FQaSkcq2LsJ38m4AHrI8+bKrLH3K27EHIy1O1CRw6Trv/pq9ZngP+rP65
> WhK/s7J0cJ8JkM6SKdFGJitLP2/VNaN1+YTk/cJ8eCBoD3yCZU/lrsUDrh26ZagA
> bQIDAQABo0kwRzAmBgNVHREEHzAdggd4eXouY29tggdhYmMuY29tggloZWxsby5j
> b20wHQYDVR0OBBYEFMBlwLLkuEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUA
> A4IBAQAFwZi+7DafcwWYpUHhiQCOMtcoS0hAJ3l57U7FwgoYk5KdG2+tJD0v9agk
> p2PrTHnHgNhXhQDDJkuV03Wa6FPf48HSY1AuJZhaf5jFJmnocjMdyabEsgPaXw30
> FA05hZ4Y3PLRbTQLyiDGhuWmzZ5LuRFpF5cFt9ODPQWOfVuG/st/3nQFsFERXSZu
> Td69d7shs2cyyG013R65C0ZDynNVjKDR9LKz4cV01lmA7KqETqdcZaJppX+tJ54U
> fksGhNrXm/1VNSwi7wSKZnPC387chHUFSJVhaRz0oHrtJjWoYKXMiBRIXgbA1WAk
> JjV0MYJGx68sIwEO6R1ZGhM1o5eu
> -----END CERTIFICATE-----
>
> However, if I create a CSR, in the CSR file, the SAN information is not
> included.
>
> Therefore it seems we need to include the required SANs at the time of
> creating the CSR. Example is below.
>
> *keytool -certreq -file wso2carbon.csr -keystore wso2carbon.jks -alias
> wso2carbon -ext SAN=dns:test.example.com <http://test.example.com>*
>
> Then in the generated CSR, we can see the SAN information is included. You
> can decode the following using [2] and check it.
>
> -----BEGIN NEW CERTIFICATE REQUEST-----
>
> MIIC5zCCAc8CAQAwVTELMAkGA1UEBhMCaXMxCzAJBgNVBAgTAmlzMQswCQYDVQQHEwJpczELMAkG
>
> A1UEChMCaXMxCzAJBgNVBAsTAmlzMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
>
> AQUAA4IBDwAwggEKAoIBAQDeFAo4EVG75D4qstw+Gm0JCmspyozAKO0yHt8+/NjBRAuXQP5cuitC
>
> rHt2U+FTuDbaMenL6/+99HBMcyHpXIdkvM3SuJfzG3z2acMWoD5U8Tk1hjfLmfMe9d3eTBMDyCbU
>
> dw+dhoyctBOUz0wb/VqIh9QfbmnsrS/lRguojJImfxM7C6YRNLSvYL7whIzyXIWur778+lziso0A
>
> cPY6feDRpWdg7UVBpKRyrYuwnfybgAesjz5sqssfcrbsQcjLU7UJHDpOu/+mr1meA/6s/rlaEr+z
>
> snRwnwmQzpIp0UYmK0s/b9U1o3X5hOT9wnx4IGgPfIJlT+WuxQOuHbplqABtAgMBAAGgTTBLBgkq
>
> hkiG9w0BCQ4xPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhhbXBsZS5jb20wHQYDVR0OBBYEFMBlwLLk
>
> uEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUAA4IBAQB0pex3/TTMjMoQml6ljkm4Z1tKdQlA
>
> 9sbaIDmB2nafOMJ2O4RRCR8RK3FpFUP523XkhvtRq2SspVtq/R6KHXUsJeEHF5ynqMUjd66nuQpP
>
> lVMqXeufh6zC4VJWb1vBSYvaYF1HFO0y7qr9VoD77ywaAX3sZX1WRU/f/Z9VkfeNHCZDcGcURGb2
>
> NljnAkgrduZcol10GJ4lJhMiCwfYy5Yk57P3FhnXyeVRJo42vmUSbHGQm7g2JxzIzsgw3M2H+B60
>
> p5gRS/i38lxy9owwyI368efocIyDoOpD823rm/I53lB0ivLDn018ZLbYEtzRkC7iVHII90XTj/8j
> ML6XCITq
> -----END NEW CERTIFICATE REQUEST-----
>
> So, we can override the already included SANs when generating the CSR.
> Also it seems it's a must to include the required extensions at the time we
> generate the CSR. Otherwise there's no way to communicate the required
> extensions to the CA.
>
> Also, when generating the CSR, we need to include other extensions like
> Key Usage (for encryption purposes).... like data encipherment/key
> enciherment properties...
>
> *keytool -certreq -alias <KeyAlias value> -file <output_file_name.csr>
> -keystore <JKS file name> -ext
> KeyUsage:critical="keyCertSign,digitalSignature,keyEncipherment,dataEncipherment"
> -storepass <keystore password>*
>
>
> [1] https://www.sslshopper.com/certificate-decoder.html
> [2] https://www.sslshopper.com/csr-decoder.html
>
> Regards,
> TharinduE
>
> On Mon, Jun 11, 2018 at 1:31 AM Godwin Amila Shrimal <god...@wso2.com>
> wrote:
>
>> Hi,
>>
>> I have a clarifications related to $subject. When we create the keystore
>> we can give the SAN as below.
>>
>> keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
>> -keysize 2048 -ext SAN=dns:xyz.com,dns:abc.com,dns:hello.com
>>
>> I have following two questions
>> 1. AFAIK SANs is a meta data of public certificate. Is it correct ?
>> 2. When we create the CSR do we have to give SANs again or is it remain
>> what we given while creating keystore?
>> 3. Can we override and give different SANs while creating CSR ? I have
>> seen [1] we need to give SANs while creating CSR
>>
>> I am bit confused on this. Can you give your feedback on this ?
>>
>> [1]
>> https://support.microsoft.com/en-gb/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate
>>
>> Thanks
>> Godwin
>> --
>> *Godwin Amila Shrimal*
>> Associate Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> mobile: *+94772264165*
>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>*
>> twitter: https://twitter.com/godwinamila
>> <http://wso2.com/signature>
>>
>
>
> --
>
> Tharindu Edirisinghe
> Associate Technical Lead | WSO2 Inc
> Platform Security Team
> Blog : http://tharindue.blogspot.com
> mobile : +94 775181586
>


-- 
*Godwin Amila Shrimal*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94772264165*
linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
<https://www.linkedin.com/in/godwin-amila-2ba26844/>*
twitter: https://twitter.com/godwinamila
<http://wso2.com/signature>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to