Friday, 3 February 2012

Subject Alternative Name

I'm using Spring Integration to talk to a HTTP/REST service.  To secure the link I set up mutual SSL authentication.  I now get the following error:

java.security.cert.CertificateException: No subject alternative names present

I'm talking to an IP address rather than a domain name, the RFC2818 specs say:
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI. 
This blog entry is also helpful to understanding the problem:


Under the covers Spring Integration is using a HostNameChecker which is throwing the exception.  The next line of the exception stack confirms:

 at sun.security.util.HostnameChecker.matchIP(Unknown Source)

I will need to set the IP address as subject alternative name with type IPAddress (key=7).  In Java 6 or lower, keytool does not support X.509v3 certificate extensions:


OpenSSL is an alternative way of generating certificates with extensions.  However, I chose to download Java 7 and the new version of keytool:

# create keystore and generate client key pair
keytool -genkey -alias client -keyalg RSA -validity 3650 -ext san=IP:<ip address> -keystore .\client.keystore -storepass <password> -keypass <password>

Export and import into client's truststore as before and the no subject alternative names problem is fixed :)

No comments:

Post a Comment