java.security.cert.CertificateException: No subject alternative names present
I'm talking to an IP address rather than a domain name, the RFC2818 specs say:
This blog entry is also helpful to understanding the problem:In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
Under the covers Spring Integration is using a HostNameChecker which is throwing the exception. The next line of the exception stack confirms:
I will need to set the IP address as subject alternative name with type IPAddress (key=7). In Java 6 or lower, keytool does not support X.509v3 certificate extensions:
at sun.security.util.HostnameChecker.matchIP(Unknown Source)
I will need to set the IP address as subject alternative name with type IPAddress (key=7). In Java 6 or lower, keytool does not support X.509v3 certificate extensions:
OpenSSL is an alternative way of generating certificates with extensions. However, I chose to download Java 7 and the new version of keytool:
# create keystore and generate client key pair
keytool -genkey -alias client -keyalg RSA -validity 3650 -ext san=IP:<ip address> -keystore .\client.keystore -storepass <password> -keypass <password>
Export and import into client's truststore as before and the no subject alternative names problem is fixed :)
# create keystore and generate client key pair
keytool -genkey -alias client -keyalg RSA -validity 3650 -ext san=IP:<ip address> -keystore .\client.keystore -storepass <password> -keypass <password>
Export and import into client's truststore as before and the no subject alternative names problem is fixed :)
No comments:
Post a Comment