Search code examples
certificatex509certificatekeytoolcsr

How to create CSR without any Attributes/Requested Extensions within request - Keytool

Is there a way possibly to generate a Certificate Sign Request with java keyTool that does not include any Attributes such as "Requested Extensions" or any related extension embedded information?

I am new to using keytool and are dealing with a customer that wants us to generate a CSR with no Attribute information.

Some background info is that I had the private key expire in my keystore which lead me to generating a new keystore with the same "PrivateKeyEntry" Alias name from before like so (of course this is an example and I have changed the keystore name and alias of the "PrivateKeyEntry"):

keytool -keystore example-prod-client-ssl.jks -genkey -alias example-prod-client-ssl -storetype JKS -keysize 2048 -keyalg RSA -sigalg SHA1WithRSA

I also needed to remove some expired "trustedCertEntry" alias's once the new keystore was generated, so I exported all valid "trustedCertEntry" certificates from the old keystore and imported them into the new one.

Now, at this point I needed to generate the CSR and have the customer sign since when you generate a new keystore and "PrivateKeyEntry", it is self signed.

I am able to generate the CSR easily with the below command:

keytool -certreq -alias example-prod-client-ssl -file certreq_v2-02112019.csr -keystore example-prod-client-ssl.jks

However, when I parse the CSR with an online tool, I can see that it contains some Attribute information within the request, namely "Requested Extensions": enter image description here

So my main quesiton is, how can I make it so the Attribute section is empty?

In the past, I see in 2014 we had to perform this same process with the customer, and when I perform the CSR on the old keystore (as a test), I still have attributes that are exactly the same as my new CSR request. But the customer does not want these contained as it causes on error on their side.

Also to add to this, the last CSR request that was sent to the customer for the old keystore (not performed by me - done in 2014 however I have a copy of this CSR file) does not contain this Attribute information and simply has the hex values "a0:00": enter image description here

So, I believe it is isolated to my CSR request and not the new keystore creation itself since when I generate a CSR on the old keystore (still available to me) it also contains these Atttribute requested extensions.

I have toyed around with adding "-ext" to my "-certreq" command to try and suppress or insert an empty Attributes section (since I believe if I do not use the "-ext" parameter the "-certreq" command will default which is why I am experiencing my current problem), but I am unsuccessful.

Solution

  • This issue can be resolved if you use Java JDK 1.6 or less. My current VM is running JDK 10.0.2, so it automatically populated the Attribute Requested Extension X509V3 SubjectKeyIdentifier within the CSR. I just copied the keystore file to a old VM I had with JDK 1.6 and the CSR is generating the way I want with no issues.