Include SANs in SSL CRT


I want to generate a SSL certificate with SANs. When I try “keytool -certreq -alias tomcat -file C:\csr.txt -keystore C:\ssl.key -ext” I get an error saying ‘illegal operation: -ext’.


Try putting the -ext argument before the C:\ssl.key filepath - the argument parsing likely doesn’t expect arguments after the output file.

Tried it. I get the same error. I could not find -ext in help as well. Is this something related to Java version?

You say you want to generate a new certificate but it looks like you’re running a command to generate a CSR…

Sorry, I meant CSR not CRT.

The SAN needs to be part of the certificate before you generate a CSR for it.

Try generating a new certificate, using -ext SAN=... to put your desired hostname into it, then generate a CSR without that sub-command.