Creating Multi Domain Java Key Store

You often may need to access to a host with different host headers. By means of the subjectAltName field introduced in X.509 v3, we are able to specify multiple domains in a single certificate. You can create certificate requests including subjectAltName field by openssl tool. On the other hand, lots of applications require certificates in Java Key Stores. In our case, we should have achieved to configure VMware View Connection Servers with multiple host headers. Since i am familiar with openssl, i have done it in the following way.
First of all create a configuration file;

# my.cnf
[ req ]
distinguished_name= req_distinguished_name
default_days  = 1460 # (4 years)
encrypt_key  = no
default_bits  = 1024
string_mask  = nombstr
req_extensions  = v3_req # Extensions to add to certificate request

[ req_distinguished_name ]
countryName   = Country Name (2 letter code)
countryName_default  = TR
stateOrProvinceName  = State or Province Name (full name)
stateOrProvinceName_default = Istanbul
localityName   = Locality Name (eg, city)
localityName_default  = Istanbul
0.organizationName  = Organization Name (eg, company)
0.organizationName_default = MyOrganization
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default = MyUnit
emailAddress   = Email Address
emailAddress_default  = myemail@mydomain.com
commonName   = Common Name (eg, YOUR name)
commonName_default  = mydomain.com

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = view
DNS.2 = viewconn01
DNS.3 = viewconn02
DNS.4 = view.mydomain.intra
DNS.5 = viewconn01.mydomain.intra
DNS.6 = viewconn02.mydomain.intra
DNS.7 = view.mydomain.com

Then, create the certificate request and the private key using the configuration file;

$ openssl req -batch -new -config req.cnf -out req.pem -keyout key.pem
Generating a 1024 bit RSA private key
..++++++
...........................++++++
writing new private key to 'key.pem'
-----

Verify that your host headers are listed in the X509v3 Subject Alternative Name section

$ openssl req -in req.pem -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=TR, ST=Istanbul, L=Istanbul, O=MyOrganization, OU=MyUnit/emailAddress=myemail@mydomain.com, CN=mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:dc:57:b5:4d:5b:74:59:e9:6b:df:68:66:f6:af:
                    ab:1a:c3:47:5f:bd:ca:20:d1:d1:12:a8:fa:d9:b4:
                    97:99:f4:c3:6c:84:89:06:c8:12:c7:c6:40:5c:8b:
                    31:b1:23:e6:16:af:ea:9d:40:17:78:74:2e:e4:80:
                    da:08:60:17:9f:3d:59:19:19:15:02:49:db:03:f2:
                    a3:02:cd:b8:16:48:5f:d1:8b:7a:7c:e2:c2:67:cf:
                    15:bc:85:8f:1e:d2:da:e8:08:5e:33:5f:b9:ab:e0:
                    f3:31:ad:74:1f:50:30:86:b1:2a:cc:76:48:cf:6d:
                    75:94:4c:ae:58:c5:e0:29:0b
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:view, DNS:viewconn01, DNS:viewconn02, DNS:view.mydomain.intra, DNS:viewconn01.mydomain.intra, DNS:viewconn02.mydomain.intra, DNS:view.mydomain.com
    Signature Algorithm: sha1WithRSAEncryption
         8a:72:30:04:0f:8d:17:74:d3:62:46:a6:01:51:f8:fa:da:f5:
         ce:30:0a:e0:28:bb:ca:e3:9e:3b:25:bf:67:c7:9f:f2:b4:c9:
         54:f8:a3:66:cd:f6:ef:fc:98:64:d7:9d:6d:ae:4a:7b:f4:95:
         28:d3:93:62:e3:15:9b:4e:7f:59:bd:a2:0b:7e:8e:86:da:ec:
         fd:b4:f8:a0:08:da:2d:58:93:0a:b3:c4:e7:42:c1:17:42:40:
         49:0c:af:5f:57:db:9c:41:2e:75:eb:94:e8:06:de:2d:ed:9a:
         13:2b:25:6a:98:e4:02:60:56:46:da:ba:6e:a2:ee:14:5a:2d:
         5e:46

Now, the multi domain certificate request is created. You should make it signed by the Certificate Authority. After getting the signed certifate in PEM format we need to import the certificate into JKS (Java Key Store). You can import the certificates by ImportKey (Thanks to Joachim Karrer and Jens Carlberg), but first you have to convert base64 encoded PEM files to DER format.

openssl x509 -in cert.pem -out cert.der -outform der
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform der

You can download the source (ImportKey.java) or the compiled (ImportKey.class) one, run it as follows

$ java ImportKey key.der cert.der
Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey  Password:importkey

Now it is time to configure VMware View Connection Server to make it use newly generated JKS.
Type the following lines into the locked.properties file.

C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties

keyfile=keystore.ImportKey
keypass=importkey
storetype=jks

Then restart the "VMware View Connection Server" service;

>net stop "VMware View Connection Server"
The VMware View Connection Server service is stopping........
The VMware View Connection Server service was stopped successfully.

>net start "VMware View Connection Server"
The VMware View Connection Server service is starting.
The VMware View Connection Server service was started successfully.

When you browse your host headers, everything should be fine and certificate details should look similar to those below.