Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

certificate with more than one IP SAN extensions

Tags:

java

ssl

keytool

I’m using a Java web service client, which connects to a web service via HTTPS. The machine on the server side, has more than one IP address, and I would like to reach this web service through any of its IPs. The client is only able to reach the server through IP based URLs, not DNS resolvable host names.

Since the WS client performs the verification of the certificate identity based on the IP SAN extension that was established while building the certificate through the Java keytool, I wonder if it’s possible to build a certificate enumerating more than one IP SAN extensions? So far I could only establish one IP per certificate, but then, when I try to reach the WS through any other IP (a.b.c.d), I get an error stating that the certificate wasn’t made with that IP:

java.security.cert.CertificateException: No subject alternative names matching IP address a.b.c.d found

If this is not possible, how do you suggest me to circumvent this issue?

Thanks

like image 486
user3031025 Avatar asked Nov 25 '13 13:11

user3031025

People also ask

How many SANs Can a certificate have?

SAN certificate availability: DigiCert PKI Platform allows up to 100 SANs with a single certificate.

Can I add IP address in SAN certificate?

SAN certificates or Unified Communication (UCC) certificates allow control of the subject alternative name field to secure multiple domains, subdomains, and IP addresses through a single certificate.

What is IP SAN certificate?

A SAN or subject alternative name is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate. Included on the short list of items that are considered a SAN are subdomains and IP addresses. First, let me show you the anatomy of a basic URL or web address.

Can you add a SAN to an existing certificate?

Anytime a SAN is added to an existing cert, a new CSR is required. The CSR must contain all the existing as well as new SANs. Consult your server manual for instructions on how to add SANs to the CSR. The common name for the CSR must be the same as the original certificate.

1 Answers

Already found how to do it... and sorry to bother you guys with this dumb question... easy:

san=ip:a.b.c.d,ip:e.f.g.h

Thanks,

Ric.

like image 176
user3031025 Avatar answered Sep 30 '22 07:09

user3031025
Sign in to Comment

Related questions

Java Best Practices - Returning an Object vs. a Generic
Wildcards in jnlp template file
What classloader does "new" use, and how do i change it?
MyBatis-Spring with Java Config and XML mappers
Analysis of various incremental operators vs assignment and incrementing
How does the GWT sinkEvent functionality works?
How use of == operator brings in performance improvements compared to equals?
Null pointer access: The variable can only be null at this location
Multiple Jackson Serializers of Same Return Type
Specifying logback.xml in Java Maven project
IntelliJ IDEA building incomplete Grails war
Excluding GrantedAuthority from userDetails in spring security
Regex grouping and optional matches
Plugins of AngularJs for eclipse juno
How to run multiple Test Group in single .jmx using jmeter
Size taken by stack frame
Why member is not injected in JavaFX controller?
How should I upgrade my Java compiler
Why are lifecycle methods in activity class defined with protected access specifier
How to get the selected number from NumberPicker? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!