CODEWITHSUNDEEP
javasslssl-certificatecas
Rakesh Goyal
Rakesh Goyal

Reputation: 3231

SSL Cerficate - No subject alternative names present

I am try to generate self sign SSL certificate but get following error in cas sso:

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

I am using open jdk 7 and used following commands:

keytool -genkey -alias axyz -keypass changeit -keyalg RSA -ext san=ip:192.168.1.4

keytool -export -alias axyz -keypass changeit -file axyz.crt

keytool -import -file axyz.crt -alias axyz -keystore /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts

HostName: vaapdev internal ip address: 192.168.1.4 Public IP address: 108.51.62.36

Not sure where I am going wrong, I tried both 192.168.1.4 and 108.51.62.36 in -ext Tried without -ext parameter.

Upvotes: 1

Views: 13534

Answers (2)

Abhishek Galoda
Abhishek Galoda

Reputation: 3054

You can do 2 things here either change the CN name in self-signed certificate to match from your domain where you are running application if in case it is localhost then cn name should be localhost or else add the subject alt names as mentioned below

Please look at this link to understand step by step.

The above error means that your JKS file is missing the required domain on which you are trying to access the application.You will need to Use Open SSL and the key tool to add multiple domains

  1. Copy the openssl.cnf into a current directory
  2. echo '[ subject_alt_name ]' >> openssl.cnf
  3. echo 'subjectAltName = DNS:example.mydomain1.com, DNS:example.mydomain2.com, DNS:example.mydomain3.com, DNS: localhost'>> openssl.cnf
  4. openssl req -x509 -nodes -newkey rsa:2048 -config openssl.cnf -extensions subject_alt_name -keyout private.key -out self-signed.pem -subj '/C=gb/ST=edinburgh/L=edinburgh/O=mygroup/OU=servicing/CN=www.example.com/[email protected]' -days 365

  5. Export the public key (.pem) file to PKS12 format. This will prompt you for password

    openssl pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in
self-signed.pem -inkey private.key -name myalias -out keystore.p12

  6. Create a.JKS from self-signed PEM (Keystore)

    keytool -importkeystore -destkeystore keystore.jks -deststoretype PKCS12 -srcstoretype PKCS12 -srckeystore keystore.p12

  7. Generate a Certificate from above Keystore or JKS file

    keytool -export -keystore keystore.jks -alias myalias -file selfsigned.crt

  8. Since the above certificate is Self Signed and is not validated by CA, it needs to be added in Truststore(Cacerts file in below location for MAC, for Windows, find out where your JDK is installed.)

    sudo keytool -importcert -file selfsigned.crt -alias myalias -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts

Original answer posted on this link here.

Upvotes: 0

Marcel Stör
Marcel Stör

Reputation: 23565

When using a host name it's possible to fall back to the Common Name in the Subject DN of the server certificate instead of using the Subject Alternative Name.

When using an IP address there must be a Subject Alternative Name entry (of type IP address, not DNS name) in the certificate.

You'll find more details about the specification and how to generate such a certificate here: https://stackoverflow.com/a/8444863/372643

Upvotes: 1

Related Questions