search cancel

Spectrum - Using Subject Alternative Names (SAN) when enabling SSL for OneClick seems not to be picked up by the CA Authority


Article ID: 216236


Updated On:


DX NetOps


Following the  Configure OneClick for Secure Sockets Layer section in product documentation, I'm not able to get the SAN options I set using keytool (-ext SAN) being picked up by our internal CA.

I have tried reducing the number of SANs defined but this makes no difference.



Release : 20.2

Component : Spectrum Core / SpectroSERVER


The SAN options must be included when the private self-signed certificate is generated, but also when the certificate request is generated.

Otherwise the certificate created by the CA will not include the Subject Alternative Names


1. Move to $SPECROOT/Java/bin 

2. run:
    keytool -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts -ext ","
    In the above line, replace, by the SAN applies to your environment. For instance, SAN=IP:,DNS:spectrum104

3. Then to confirm the SAN was added, execute next:
    keytool -list -v -keystore c:/win32app/Spectrum/custom/keystore/cacerts > C:\keystorelist.txt
    Reviewing the C:\keystorelist.txt you should see that the extensions were added

Alias name: tomcatssl
Creation date: May 28, 2021

#1: ObjectId: Criticality=false
SubjectAlternativeName [
  DNSName: spectrum104

4. Then create the certificate request:
    keytool -certreq -alias tomcatssl -keystore c:/win32app/Spectrum/custom/keystore/cacerts -ext "," -file C:\cert-req.csr
    In the above line, replace, by the SAN applies to your environment. For instance, SAN=IP:,DNS:spectrum104 

5. Check the certificate requested included the SAN extension, with next command line
    openssl req -in C:\cert-req.csr -noout -text
    Usually Linux include the openssl, or you can install it from repositories. For Windows, if not installed, you can download the GNUwin32 version
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:, DNS:spectrum104

6. Import the certificate following the steps described in the documentation.

7. The certificate returned by the CA should include the SAN, and you can check it from the browser when you first load the Oneclick Home page, after the OneClick is configured to use SSL.


Additional Information

Configure OneClick for Secure Socket Layer