Using the keytool included with JDK 7, I am creating a keystore including a certificate with a SAN extension. If decode the certificate, I see the SAN extension. If I then use keytool to export a CSR, the SAN information is missing from the CSR.
What gives?
Update: I've learned that if I want to include a SAN in the CSR I need to explicitly indicate the SAN in the command lie so:
keytool -certreq -alias mycertificate -keystore mekeystore.jks -ext san=dns:mydomain.com
That said, I've punted on using the SAN as signing the CSR with my OpenSSL CA is needlessly complicated.
It is normal that SAN is not included when exporting a CSR. In generating a CSR, you only need to provide one common name or domain name.
Refer to this link: https://support.globalsign.com/customer/portal/articles/1229769-certificate-signing-request-csr---overview
SAN or Subject Alternative Name are being added during the ordering process of the certificate from a Certificate Authority. SANs are being added on the certificate and not on the CSR.