markus
markus

Reputation: 6568

Getting java.security.cert.CertificateException, however the certificate is imported into the truststore

I always receive a

java.security.cert.CertificateException: No subject alternative names present

exception, however i've imported the certificate to my trusrstore. Here my Setup:

I'm using a small HTTPS Server based on com.sun.net.httpserver.HttpsServer. I've create a keystore with a self signed certificate:

keytool -genkey -keyalg RSA -alias myCert -keystore keystore.jks -storepass myPass -validity 360 -keysize 2048 

I'm passing the path and password to the keystore as VM arguments Djavax.net.ssl.keyStore=/tmp/truststore.jks Djavax.net.ssl.keyStorePassword=myPass

If I run openssl s_client -connect 192.168.1.101:4443 I can see that it uses the right certificate.

To trust the certificate on client site, I've exported the certificate from the server keystore and imported it to the client truststore:

  keytool -export -alias myCert -file myCert.crt -keystore keystore.jks
  keytool -import -trustcacerts -alias -file myCert.crt -keystore truststore.jks

For the client I use a small test program using jersey. I'm passing the path to the truststore as VM argument -Djavax.net.ssl.trustStore=/tmp/truststore.jks

public class Tester {
    public static void main(String[] args) {

        Client client = ClientBuilder.newClient();
        try {
            String name = client.target("https://192.168.1.101:4443")
                    .request(MediaType.TEXT_PLAIN)
                    .get(String.class);

            System.out.println(name);
        } catch (final Exception e) {
            System.err.println(e);
        }
    }
}

But however the self signed certificate is in the truststore, I always get the

  java.security.cert.CertificateException: No subject alternative names present
exception

What can be the reason for it?

Upvotes: 0

Views: 705

Answers (1)

Oleg Estekhin
Oleg Estekhin

Reputation: 8405

The HTTPS certificate should contain the SubjectAltName extension which value should be the IP address (192.168.1.101 in your case) or the DNS name of the host.

Upvotes: 1

Related Questions