Re: [Dev] Subject Alternative Names in certificate

2018-06-12 Thread Godwin Amila Shrimal 
Hi Tharindu,

Thanks a lot for your detail explanation. This sorted all the doubt i had.
As an summary

1. SANs is a metadata of the certificate
2. We MUST give SANs while creating CSR (SANS we are giving while creating
keystore is not using if we are signing from CA)
3. We MUST give other extensions like Key Usage as well while creating the
CSR

Thanks
Godwin

On Tue, Jun 12, 2018 at 4:26 AM Tharindu Edirisinghe 
wrote:

> Hi Godwin,
>
> Yes, SANS is a part of the public certificate and it's not bound to the
> public key or the private key (key-pair). So we can consider that as
> metadata of the certificate.
>
> *keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
> -keysize 2048 -ext SAN=dns:xyz.com ,dns:abc.com
> ,dns:hello.com *
>
> When we generate the key-pair using above command, the default public
> certificate generated contains the SANs defined. You can use [1] to decode
> the content below and check that.
>
> -BEGIN CERTIFICATE-
> MIIDcTCCAlmgAwIBAgIEQ5oSYzANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJp
> czELMAkGA1UECBMCaXMxCzAJBgNVBAcTAmlzMQswCQYDVQQKEwJpczELMAkGA1UE
> CxMCaXMxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xODA2MTIwMjIzNTRaFw0xODA5
> MTAwMjIzNTRaMFUxCzAJBgNVBAYTAmlzMQswCQYDVQQIEwJpczELMAkGA1UEBxMC
> aXMxCzAJBgNVBAoTAmlzMQswCQYDVQQLEwJpczESMBAGA1UEAxMJbG9jYWxob3N0
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hQKOBFRu+Q+KrLcPhpt
> CQprKcqMwCjtMh7fPvzYwUQLl0D+XLorQqx7dlPhU7g22jHpy+v/vfRwTHMh6VyH
> ZLzN0riX8xt89mnDFqA+VPE5NYY3y5nzHvXd3kwTA8gm1HcPnYaMnLQTlM9MG/1a
> iIfUH25p7K0v5UYLqIySJn8TOwumETS0r2C+8ISM8lyFrq++/Ppc4rKNAHD2On3g
> 0aVnYO1FQaSkcq2LsJ38m4AHrI8+bKrLH3K27EHIy1O1CRw6Trv/pq9ZngP+rP65
> WhK/s7J0cJ8JkM6SKdFGJitLP2/VNaN1+YTk/cJ8eCBoD3yCZU/lrsUDrh26ZagA
> bQIDAQABo0kwRzAmBgNVHREEHzAdggd4eXouY29tggdhYmMuY29tggloZWxsby5j
> b20wHQYDVR0OBBYEFMBlwLLkuEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUA
> A4IBAQAFwZi+7DafcwWYpUHhiQCOMtcoS0hAJ3l57U7FwgoYk5KdG2+tJD0v9agk
> p2PrTHnHgNhXhQDDJkuV03Wa6FPf48HSY1AuJZhaf5jFJmnocjMdyabEsgPaXw30
> FA05hZ4Y3PLRbTQLyiDGhuWmzZ5LuRFpF5cFt9ODPQWOfVuG/st/3nQFsFERXSZu
> Td69d7shs2cyyG013R65C0ZDynNVjKDR9LKz4cV01lmA7KqETqdcZaJppX+tJ54U
> fksGhNrXm/1VNSwi7wSKZnPC387chHUFSJVhaRz0oHrtJjWoYKXMiBRIXgbA1WAk
> JjV0MYJGx68sIwEO6R1ZGhM1o5eu
> -END CERTIFICATE-
>
> However, if I create a CSR, in the CSR file, the SAN information is not
> included.
>
> Therefore it seems we need to include the required SANs at the time of
> creating the CSR. Example is below.
>
> *keytool -certreq -file wso2carbon.csr -keystore wso2carbon.jks -alias
> wso2carbon -ext SAN=dns:test.example.com *
>
> Then in the generated CSR, we can see the SAN information is included. You
> can decode the following using [2] and check it.
>
> -BEGIN NEW CERTIFICATE REQUEST-
>
> MIIC5zCCAc8CAQAwVTELMAkGA1UEBhMCaXMxCzAJBgNVBAgTAmlzMQswCQYDVQQHEwJpczELMAkG
>
> A1UEChMCaXMxCzAJBgNVBAsTAmlzMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
>
> AQUAA4IBDwAwggEKAoIBAQDeFAo4EVG75D4qstw+Gm0JCmspyozAKO0yHt8+/NjBRAuXQP5cuitC
>
> rHt2U+FTuDbaMenL6/+99HBMcyHpXIdkvM3SuJfzG3z2acMWoD5U8Tk1hjfLmfMe9d3eTBMDyCbU
>
> dw+dhoyctBOUz0wb/VqIh9QfbmnsrS/lRguojJImfxM7C6YRNLSvYL7whIzyXIWur778+lziso0A
>
> cPY6feDRpWdg7UVBpKRyrYuwnfybgAesjz5sqssfcrbsQcjLU7UJHDpOu/+mr1meA/6s/rlaEr+z
>
> snRwnwmQzpIp0UYmK0s/b9U1o3X5hOT9wnx4IGgPfIJlT+WuxQOuHbplqABtAgMBAAGgTTBLBgkq
>
> hkiG9w0BCQ4xPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhhbXBsZS5jb20wHQYDVR0OBBYEFMBlwLLk
>
> uEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUAA4IBAQB0pex3/TTMjMoQml6ljkm4Z1tKdQlA
>
> 9sbaIDmB2nafOMJ2O4RRCR8RK3FpFUP523XkhvtRq2SspVtq/R6KHXUsJeEHF5ynqMUjd66nuQpP
>
> lVMqXeufh6zC4VJWb1vBSYvaYF1HFO0y7qr9VoD77ywaAX3sZX1WRU/f/Z9VkfeNHCZDcGcURGb2
>
> NljnAkgrduZcol10GJ4lJhMiCwfYy5Yk57P3FhnXyeVRJo42vmUSbHGQm7g2JxzIzsgw3M2H+B60
>
> p5gRS/i38lxy9owwyI368efocIyDoOpD823rm/I53lB0ivLDn018ZLbYEtzRkC7iVHII90XTj/8j
> ML6XCITq
> -END NEW CERTIFICATE REQUEST-
>
> So, we can override the already included SANs when generating the CSR.
> Also it seems it's a must to include the required extensions at the time we
> generate the CSR. Otherwise there's no way to communicate the required
> extensions to the CA.
>
> Also, when generating the CSR, we need to include other extensions like
> Key Usage (for encryption purposes) like data encipherment/key
> enciherment properties...
>
> *keytool -certreq -alias  -file 
> -keystore  -ext
> KeyUsage:critical="keyCertSign,digitalSignature,keyEncipherment,dataEncipherment"
> -storepass *
>
>
> [1] https://www.sslshopper.com/certificate-decoder.html
> [2] https://www.sslshopper.com/csr-decoder.html
>
> Regards,
> TharinduE
>
> On Mon, Jun 11, 2018 at 1:31 AM Godwin Amila Shrimal 
> wrote:
>
>> Hi,
>>
>> I have a clarifications related to $subject. When we create the keystore
>> we can give the SAN as below.
>>
>> keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
>> -keysize 2048 -ext SAN=dns:xyz.com,dns:abc.com,dns:hello.com
>>
>> I have following two

Re: [Dev] Subject Alternative Names in certificate

2018-06-11 Thread Tharindu Edirisinghe 
Hi Godwin,

Yes, SANS is a part of the public certificate and it's not bound to the
public key or the private key (key-pair). So we can consider that as
metadata of the certificate.

*keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
-keysize 2048 -ext SAN=dns:xyz.com ,dns:abc.com
,dns:hello.com *

When we generate the key-pair using above command, the default public
certificate generated contains the SANs defined. You can use [1] to decode
the content below and check that.

-BEGIN CERTIFICATE-
MIIDcTCCAlmgAwIBAgIEQ5oSYzANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJp
czELMAkGA1UECBMCaXMxCzAJBgNVBAcTAmlzMQswCQYDVQQKEwJpczELMAkGA1UE
CxMCaXMxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xODA2MTIwMjIzNTRaFw0xODA5
MTAwMjIzNTRaMFUxCzAJBgNVBAYTAmlzMQswCQYDVQQIEwJpczELMAkGA1UEBxMC
aXMxCzAJBgNVBAoTAmlzMQswCQYDVQQLEwJpczESMBAGA1UEAxMJbG9jYWxob3N0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hQKOBFRu+Q+KrLcPhpt
CQprKcqMwCjtMh7fPvzYwUQLl0D+XLorQqx7dlPhU7g22jHpy+v/vfRwTHMh6VyH
ZLzN0riX8xt89mnDFqA+VPE5NYY3y5nzHvXd3kwTA8gm1HcPnYaMnLQTlM9MG/1a
iIfUH25p7K0v5UYLqIySJn8TOwumETS0r2C+8ISM8lyFrq++/Ppc4rKNAHD2On3g
0aVnYO1FQaSkcq2LsJ38m4AHrI8+bKrLH3K27EHIy1O1CRw6Trv/pq9ZngP+rP65
WhK/s7J0cJ8JkM6SKdFGJitLP2/VNaN1+YTk/cJ8eCBoD3yCZU/lrsUDrh26ZagA
bQIDAQABo0kwRzAmBgNVHREEHzAdggd4eXouY29tggdhYmMuY29tggloZWxsby5j
b20wHQYDVR0OBBYEFMBlwLLkuEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUA
A4IBAQAFwZi+7DafcwWYpUHhiQCOMtcoS0hAJ3l57U7FwgoYk5KdG2+tJD0v9agk
p2PrTHnHgNhXhQDDJkuV03Wa6FPf48HSY1AuJZhaf5jFJmnocjMdyabEsgPaXw30
FA05hZ4Y3PLRbTQLyiDGhuWmzZ5LuRFpF5cFt9ODPQWOfVuG/st/3nQFsFERXSZu
Td69d7shs2cyyG013R65C0ZDynNVjKDR9LKz4cV01lmA7KqETqdcZaJppX+tJ54U
fksGhNrXm/1VNSwi7wSKZnPC387chHUFSJVhaRz0oHrtJjWoYKXMiBRIXgbA1WAk
JjV0MYJGx68sIwEO6R1ZGhM1o5eu
-END CERTIFICATE-

However, if I create a CSR, in the CSR file, the SAN information is not
included.

Therefore it seems we need to include the required SANs at the time of
creating the CSR. Example is below.

*keytool -certreq -file wso2carbon.csr -keystore wso2carbon.jks -alias
wso2carbon -ext SAN=dns:test.example.com *

Then in the generated CSR, we can see the SAN information is included. You
can decode the following using [2] and check it.

-BEGIN NEW CERTIFICATE REQUEST-
MIIC5zCCAc8CAQAwVTELMAkGA1UEBhMCaXMxCzAJBgNVBAgTAmlzMQswCQYDVQQHEwJpczELMAkG
A1UEChMCaXMxCzAJBgNVBAsTAmlzMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDeFAo4EVG75D4qstw+Gm0JCmspyozAKO0yHt8+/NjBRAuXQP5cuitC
rHt2U+FTuDbaMenL6/+99HBMcyHpXIdkvM3SuJfzG3z2acMWoD5U8Tk1hjfLmfMe9d3eTBMDyCbU
dw+dhoyctBOUz0wb/VqIh9QfbmnsrS/lRguojJImfxM7C6YRNLSvYL7whIzyXIWur778+lziso0A
cPY6feDRpWdg7UVBpKRyrYuwnfybgAesjz5sqssfcrbsQcjLU7UJHDpOu/+mr1meA/6s/rlaEr+z
snRwnwmQzpIp0UYmK0s/b9U1o3X5hOT9wnx4IGgPfIJlT+WuxQOuHbplqABtAgMBAAGgTTBLBgkq
hkiG9w0BCQ4xPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhhbXBsZS5jb20wHQYDVR0OBBYEFMBlwLLk
uEv1/4xyBV4pQMPiFkjqMA0GCSqGSIb3DQEBCwUAA4IBAQB0pex3/TTMjMoQml6ljkm4Z1tKdQlA
9sbaIDmB2nafOMJ2O4RRCR8RK3FpFUP523XkhvtRq2SspVtq/R6KHXUsJeEHF5ynqMUjd66nuQpP
lVMqXeufh6zC4VJWb1vBSYvaYF1HFO0y7qr9VoD77ywaAX3sZX1WRU/f/Z9VkfeNHCZDcGcURGb2
NljnAkgrduZcol10GJ4lJhMiCwfYy5Yk57P3FhnXyeVRJo42vmUSbHGQm7g2JxzIzsgw3M2H+B60
p5gRS/i38lxy9owwyI368efocIyDoOpD823rm/I53lB0ivLDn018ZLbYEtzRkC7iVHII90XTj/8j
ML6XCITq
-END NEW CERTIFICATE REQUEST-

So, we can override the already included SANs when generating the CSR. Also
it seems it's a must to include the required extensions at the time we
generate the CSR. Otherwise there's no way to communicate the required
extensions to the CA.

Also, when generating the CSR, we need to include other extensions like Key
Usage (for encryption purposes) like data encipherment/key enciherment
properties...

*keytool -certreq -alias  -file 
-keystore  -ext
KeyUsage:critical="keyCertSign,digitalSignature,keyEncipherment,dataEncipherment"
-storepass *


[1] https://www.sslshopper.com/certificate-decoder.html
[2] https://www.sslshopper.com/csr-decoder.html

Regards,
TharinduE

On Mon, Jun 11, 2018 at 1:31 AM Godwin Amila Shrimal 
wrote:

> Hi,
>
> I have a clarifications related to $subject. When we create the keystore
> we can give the SAN as below.
>
> keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
> -keysize 2048 -ext SAN=dns:xyz.com,dns:abc.com,dns:hello.com
>
> I have following two questions
> 1. AFAIK SANs is a meta data of public certificate. Is it correct ?
> 2. When we create the CSR do we have to give SANs again or is it remain
> what we given while creating keystore?
> 3. Can we override and give different SANs while creating CSR ? I have
> seen [1] we need to give SANs while creating CSR
>
> I am bit confused on this. Can you give your feedback on this ?
>
> [1]
> https://support.microsoft.com/en-gb/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate
>
> Thanks
> Godwin
> --
> *Godwin Amila Shrimal*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
>

[Dev] Subject Alternative Names in certificate

2018-06-10 Thread Godwin Amila Shrimal 
Hi,

I have a clarifications related to $subject. When we create the keystore we
can give the SAN as below.

keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks
-keysize 2048 -ext SAN=dns:xyz.com,dns:abc.com,dns:hello.com

I have following two questions
1. AFAIK SANs is a meta data of public certificate. Is it correct ?
2. When we create the CSR do we have to give SANs again or is it remain
what we given while creating keystore?
3. Can we override and give different SANs while creating CSR ? I have seen
[1] we need to give SANs while creating CSR

I am bit confused on this. Can you give your feedback on this ?

[1]
https://support.microsoft.com/en-gb/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

Thanks
Godwin
-- 
*Godwin Amila Shrimal*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94772264165*
linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
*
twitter: https://twitter.com/godwinamila

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev