Thursday, November 16, 2017

[SOLVED] "Illegal option: -ext" error in keytool command when generating keypair with setting subject alternative names

We can use the keytool command for generating key pairs and keystores which would be needed configuring SSL for websites, encryption scenarios, etc.

Usually when generating the keypair, we would define the CN (Common Name) field of the digital certificate to match the domain name of the website, so we don’t run into any hostname verification issues later.

However, there are scenarios where we might need to use the same digital certificate for multiple websites (different domains). In such case, we can define all the domains in the Subject Alternative Name [1] extension of the certificate.

An example is if you check website’s digital certificate, you will see that the CN is not matching the above domain name. The CN is a subdomain of cloudflare because is using cloudflare as a proxy.

Therefore, to match the hostname, the domain is added as DNS names under the subject alternative name extension of the certificate.

Now, when we generate a keypair using keytool command, we can define the subject alternative names using the -ext parameter. For more information on keytool commands, refer [2].

Here is a sample keytool command where I generate a keypair (wrapped in a JKS file) giving a DNS Name “” as a subject alternative name.

keytool -genkeypair -keystore keystore.jks -dname ", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass keypwd -storepass storepass -keyalg RSA -alias testcert -ext

However, when I run the command, I would get “Illegal option:  -ext” error.

If I run the “keytool -help” command, it would list the supported parameters by keytool command. However, under -genkeypair flow, it does not list the -ext as a valid parameter.

The reason is, in a linux system, the keytool command would reside in /usr/bin/keytool which is executed if the command starts with “keytool”.  This executable does not support the -ext parameter which causes the issue.

Apart from that, keytool executable is located with the JDK/JRE installation as well.

So, you have to use the keytool executable in either JDK or JRE for executing the keytool command for setting the subject alternative name.

If we browse the generated keystore from a tool like Keytool Explorer we can see that the subject alternative name is correctly set.
We can use the keytool -list command to list the generated entry and that also will confirm that the subject alternative name is correctly set in the certificate.


Tharindu Edirisinghe

1 comment:

  1. I could not resist commenting. Well written!