I'm using pyOpenSSL to create a X509 certifcate. I need to import this certificate into a Java JKS keystore to make it available to my Java application. This is working fine as long as I don't add a subjectAltName extension to the certificate. If the certificate has an alternative subject set, import into the JKS keystore fails:
root@51561a8a1e01:~# /opt/oracle/java/jdk64-1.8.0_92/bin/keytool -keystore keystore -storepass changeit -noprompt -importcert -alias example -file certificate.crt -v
keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.keytool.Main.doCommands(Main.java:1009)655)
at sun.security.tools.keytool.Main.main(Main.java:336)
root@51561a8a1e01:~#
If I print this certificate using OpenSSL on the command line, I get this output:
root@51561a8a1e01:~# openssl x509 -in certificate.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU=example.com, CN=my-server.example.com, O=example.com
Validity
Not Before: Aug 26 12:03:03 2016 GMT
Not After : Aug 25 12:03:03 2021 GMT
Subject: OU=example.com, CN=my-server.example.com, O=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:a7:53:5a:38:...:11:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost
Signature Algorithm: sha256WithRSAEncryption
ab:51:12:fb:a6:a6:...:0d:4b
That is the certificate is obviously valid. And according to oracle's documentation the Java 8 keytool should support the SubjectAlternativeName extension.
When I tried to generate everything with keytool itself - which seems to work - I noticed that the certificate generated by keytool has a second extension X509v3 Subject Key Identifier:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1510484556 (0x5a082a4c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=example.com, OU=example.com, CN=my-server.example.com
Validity
Not Before: Aug 26 12:52:43 2016 GMT
Not After : Nov 24 12:52:43 2016 GMT
Subject: O=example.com, OU=example.com, CN=my-server.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:99:b6:b1:11:a6:...:7b:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost
X509v3 Subject Key Identifier:
66:75:AD:7A:A5:19:AB:43:DE:55:E4:A7:4F:C2:3D:53:55:49:CE:48
Signature Algorithm: sha256WithRSAEncryption
50:7c:fe:c8:5d:1b:...:da:27
Do I need to add this extension to my certificate using pyOpenSSL as well. But what would be the correct value?!
Well, just after writing down everything for this question I noticed that there is a second difference between the certificate generated with pyOpenSSL and the keytool one. The keytool certificate states Version: 3 (0x2) while the other one says Version: 1 (0x0).
I'm not too much into the X509 specs but as the extensions are all prefixed with X509v3 I'd guess that extension support is not available for version 1 certificates.
And after adapting my python code to set the version to 3 (actually 2 as version is 0 based), import into keytool works as expected:
_cert = OpenSSL.crypto.X509()
_cert.set_version(2)
...