Reputation:
Certificate hostname verification in java - subject alternative names
I am using a certificate with subject alternative names in the "Subject" field instead of x509 extensions.
A java client that I use still fails connecting to https url complaining that hostname in certificate didn't match. My understanding is as long as the hostname is listed in Subject Alt Names it should work.
Here is the format of the Subject field in the certificate
C=US,ST=.......CN=x.yz.com/[email protected]/subjectAltName=DNS.1=x2.y.com,DNS.2=x3.y.com
Is it necessary to define SAN as X509 extensions
Upvotes: 1
Views: 2082
Answers (1)
Reputation: 176382
The subjectAltName is expected to be an X509v3 extension of the certificate, not a part of the Subject field. Therefore, if you listed the SAN names into the Subject, your certificate is invalid.
Here's an example of a certificate that defines an SAN. This answer contains the list of allowed fields for a subject.
Upvotes: 2
Related Questions
- Java SSL: how to disable hostname verification
- How to use HostnameVerifier?
- Java SSLException: hostname in certificate didn't match
- Verifying SSL Certificate's Common Name in Java
- Hostname in certificate didn't match?
- java the host name doesn't match the certificate
- Hostnameverifier implementation
- Trust not trusted certificates and skip hostname verification
- get list of all hostnames matching certificate
- SSL Certificate without host name in it