I'm trying to get the certificates just right for our Jira/Confluence deployments in house. People access them differently, either from the hostname or the FQDN. I'm using Java 7's keytool so I have access to the server alternate name functionality:
-ext san=dns:jira
…and I hand it…
jira.example.com
…as the CN when generating the certificate. I then generate a signing request, hand the CSR off to our Win2k8r2 PKI for a certreq to get the key signed and import the key back into the keystore.
Now when I have it setup as I've said above my browsers (Chrome, Firefox, Safari) seem to think the jira is the only valid name even though when I inspect the certificate the CN shows the FQDN.
If I drop the ext it will use the CN which is the FQDN.
When I have multiple ext statements it just uses the last one and I've tried to string multiple DNS:foo under one ext entries together with various punctuation.
Another angle I've run across is to setup the web server to do a 301 to the FQDN. I'm fine with this as well but I'm stuck with Tomcat so "switch to Apache/nginx" won't work for me. This seems to be the only documentation I've come across to do something like that with Tomcat but its 3 years old and it's the end of the day for me. Have they added that functionality to Tomcat6?
Best Answer
I realize this question is pretty old but for anyone who may find it useful I'll mention what works for me:
-ext san=dns:jira,dns:jira.example.comBTW, you can also add IP addresses if you like. I personaly use the following for my development computer:
NOTE: I use java8 keytool; I hope this works in java7 keytool as well but I haven't tested it