Requesting and Deploying SSL Certs with additional SAN and Custom Key Usage


Jul 2019

Requesting and Deploying SSL Certs with additional SAN and Custom Key Usage

In most projects, SSL has become mandatory for deploying enterprise applications. Application URLs might have multiple aliases or CNames or VIP Names which point to the same back end application or web servers. In such cases, you want to request an SSL Certificate with Additional SAN (Subject Alternate Names). Also when implementing two-way SSL between two applications, some of the key Usage on the certs may not match specially when accessing applications with the newer certs.


In the above cases, standard CSR request might not work. Listed below are some steps that you can follow to generate a CSR with additional SAN Attributes and define the key usage type. Once the CSR is generated, you can send it to the Internal or External CA to get the certificate you need.


Included below are some commands you can use to covert the Certificates from Standard PEM to PKCS#12 or PFX so you can import it to the Java Key Stores (JKS)




  1. Create a working directory where you’ll store the private key, custom configuration file and the CSR and define the following variables
    export WORKDIR=/Users/Arun/Documents
    export DBSERIAL=zionhost (You can use any values for WORKDIR and DBSERIAL as these are just to identify the location and CSR file)
  2. Create a custom configuration file with the name $DBSERIAL.csr.cnf with the following content (I provided sample values and explanation) 
  3. Once the configuration file is created, run the below command to generate the CSR (You need to have openssl installed on the server or desktop where you are running it from)

    openssl req -new -newkey rsa:2048 -keyout ${WORKDIR}/${DBSERIAL}.key -out ${WORKDIR}/${DBSERIAL}.csr -nodes -config ${WORKDIR}.csr.cnf -sha256 -days 3650

    Screenshot of the example:


  4. CSR file should be created in the $WORKDIR. You can send it to your SSL Administrator or external CA to receive your certificate.

  6. Usually CAs issue a Standard PEM Certificate. If you need to import the cert in to a Java Key Store then you’ll need run the below command to convert it in to a PFX bundle (PKCS#12) and then import it.

    openssl pkcs12 -export -out ziontest.pfx -inkey ziontest.key -in ziontest.cer -certfile ca-chain.crt


    openssl pkcs12 -export -out ziontest.pfx -inkey ziontest.key -in ziontest.cer


  8. You can use the below command to import the newly generated PFX bundle in to your application server key store (JKS)
    keytool -importkeystore -srckeystore hhsdevesbsoa02.pfx -srcstoretype pkcs12 -destkeystore soa_identity.jks -deststoretype JKS

Post Your Thoughts

Your email address will not be published. Required fields are marked *