Certificate for <localhost> doesn't match any of the subject alternative names

Question

The Error:

javax.net.ssl.SSLException: Certificate for <localhost> doesn't match any of the subject alternative names: [xxxxxxx.xxx.xxxxxx.xxx]

I have a Spring Boot App running in my localhost. I also have a tunnel ssh via putty to a server.

Things I have done:

• I manually created/imported keys/certificates of all ways.
• I used -ext from keytool to add the dns addr and the localhost to SAN.
• I also used a openSource java file to install the cert.
• I changed the hosts files to: 127.0.0.1 xxx.xxx.xxxxxxx.xxx (if I ping the dns name it responds to the localhost address)
• I used the VM Arguments -Djavax.net.debug=ssl to check if the certs are loading properly.

What am I missing? BTW, I'm also using a VPN.

Answer 1

You need to provide localhost as a subject alternative name when creating your certificate. You can do that by provide the following additional parameter: -ext "SAN:c=DNS:localhost,IP:127.0.0.1"

So something like this:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias stackoverflow -dname "CN=stackoverflow,OU=Hakan,O=Hakan,C=NL" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore identity.jks -storepass secret -keypass secret -deststoretype pkcs12

Some explanation:

The SAN field will be used to match the hostname which will be provided in the request. So when you are running your application on localhost, lets say https://localhost:443 and you also want to make a request to that specific host than that hostname should also be available within the SAN field or else it will fail during the handshake process.

Let's grab Stackoverflow as an example. To be able to reach stackoverflow over https we would expect that the certificate should contain at least an entry of stackoverflow.com

Below is the certificate SAN value of stackoverflow with the specific DNS highlighted for this example:

As you can see already it contains also other dns values. In this way websites owners can use the same certificate for multiple websites/subdomains etc.