Menu
I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
Does anyone know how to specify "Subject alternative name" while creating a cert? This is how I'm generating a keystore:
sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd To generate a key:
openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null Please help! Thanks!
568
After your UCC certificate is issued, you can add or remove Subject Alternative SANs at any time.
The Subject Alternative Name (SAN) is an extension to the X. 509 specification that allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common name.
Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS entries for a host name and IP entries for IP addresses).
To quote myself:
If you're using
keytool, as of Java 7, keytool has an option to include a Subject Alternative Name (see the table in the documentation for -ext): you could use -ext san=dns:www.example.com or -ext san=ip:10.0.0.1
Note that you only need Java 7's keytool to use this command. Once you've prepared your keystore, it should work with previous versions of Java.
(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)
129
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
