Listing a Bouncy Castle keystore does not show Subject Alternative Names of a certificate
Article ID: 438446
Updated On:
Products
Issue/Introduction
If a certificate in a keystore (Java keystore or PKCS12 keystore) has Subject Alternative Names (SAN), they get listed when using keytool -v but if the same certificate exists in a Bouncy Castle keystore, the SAN names do not show up.
Example:
keytool -keystore .keystore -storepass changeit -storetype PKCS12 -list -v
Alias name: wlaCreation date: Apr 27, 2026Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=abc.example.comIssuer: CN=abc.example.comSerial number: #####Valid from: Mon Apr 27 10:30:42 CDT 2026 until: Tue Apr 27 10:30:42 CDT 2027Certificate fingerprints: SHA1: #### SHA256: #####Signature algorithm name: SHA384withRSASubject Public Key Algorithm: 2048-bit RSA keyVersion: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: wcc.example.com DNSName: wccserver1.example.com DNSName: wccserver2.example..com]
#2: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: #### ...\X]..X. p..np0010: 0A E6 FB B5 ....]]
keytool -keystore .keystore.bcfks -storepass ##### -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar -list -v
## note: $AUTOSYS/lib/bc-fips.jar or $CA_WCC_INSTALL_LOCATION/bin/lib/bc-fips.jar can be used Keystore type: BCFKSKeystore provider: BCFIPSYour keystore contains 1 entryAlias name: wlaCreation date: Apr 27, 2026Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=abc.example.comIssuer: CN=abc.example.comSerial number: ######Valid from: Mon Apr 27 10:30:42 CDT 2026 until: Tue Apr 27 10:30:42 CDT 2027Certificate fingerprints: SHA1: ####### SHA256: #######Signature algorithm name: SHA384WITHRSASubject Public Key Algorithm: 2048-bit RSA keyVersion: 3**************************************************************************************
Notice there are no extensions shown in the list.
Cause
This is by design at this time, because of the additional Bouncy Castle provider that keytool needs to use when accessing the contents of the BCFKS keystore file.
Resolution
- Convert the Bouncy Castle keystore to PKCS12/JKS format and then list it using keytool
ORkeytool -importkeystore -srckeystore .keystore.bckfs -srcstorepass #### -destkeystore .keystore -srcstoretype BCFKS -deststoretype PKCS12 -deststorepass changeit -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $CA_WCC_INSTALL_LOCATION/bin/lib/bc-fips.jarkeytool -keystore .keystore -storepass changeit -storetype PKCS12 -list -v
- Export the certificate to a file and print the contents
keytool -exportcert -keystore .keystore.BCFKS -storetype BCFKS -storepass ##### -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $CA_WCC_INSTALL_LOCATION/bin/lib/bc-fips.jar -alias wla -file example.crtCertificate stored in file <test-new-april.crt>
keytool -printcert -file example.crt Owner: CN=abc.example.comIssuer: CN=abc.example.comSerial number: ####Valid from: Mon Apr 27 10:30:42 CDT 2026 until: Tue Apr 27 10:30:42 CDT 2027Certificate fingerprints: SHA1: #### SHA256: ####Signature algorithm name: SHA384withRSASubject Public Key Algorithm: 2048-bit RSA keyVersion: 3Extensions: #1: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: wcc.example.com DNSName: wccserver1.example.com DNSName: wccserver2.example.com]#2: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: #### 58 E4 20 70 11 D5 6E 70 ...\X]..X. p..np0010: 0A E6 FB B5 ....]]
Feedback
