JDK-6847026 : keytool should be able to generate certreq and cert without subject name
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2009-06-02
  • Updated: 2017-05-16
  • Resolved: 2009-07-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b72Fixed
Related Reports
Relates :  
JDK-6865570 - sync doc changes for 6847026 and 6561126 to windows
Description
A certificate's subject field is allowed to be empty if it has a subjectAlternativeName extension. keytool currently cannot generate a cert request or a cert without the subject field. The reason is that the subject field is determined at the -gekeypair time and never changed at -certreq or -gencert. Since the cert generated at -genkeypair is self-signed and a self-signed cert must have the subject field, we have no chance to specify the empty subject now.
Comments
EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8bb89d9fd061
22-07-2009
EVALUATION Solution: support -dname at -certreq and -gencert. If the option is specified, the subject in certreq/cert uses the value specified by the option. User can now run keytool -certreq/-gencert -dname "" to generate a certreq/cert without subject. A critical subjectAlternativeName extension MUST be added when the subject is missing. keytool -certreq -alias me -ext san:c=email:###@###.### -dname "" | keytool -gencert -alias ca -ext honored=all
02-06-2009