2

I want to create a web service client using wsdl2java utility. I have to connect to this server over SSL

This wsdl looks like this:

https://xxx.xx.xx.xx:8443/api/wsdl/xxxxxxx.wsdl

I generated the certificate using:

openssl s_client -connect xxx.xx.xx.x:8443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > abcCertificate.pem

and added it to keystore using:

keytool -import -noprompt -trustcacerts -alias testcert -file abcCertificate.pem -keystore /usr/java/jdk1.7.0_06/jre/lib/security/cacerts -ext san=ip:xxx.xx.xx.xx

When I try to use wsdl2java to create the web service client, it throws exception:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

I use these information from this link.

Community
  • 1
  • 1
Chamila Adhikarinayake
  • 3,588
  • 5
  • 25
  • 32
  • possible duplicate of [How are SSL certificate server names resolved/Can I add alternative names using keytool?](http://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using) – Bruno Oct 09 '12 at 10:37
  • I've used `NoopHostnameVerifier`, see https://stackoverflow.com/a/57746053/548473 – Grigory Kislin Dec 13 '19 at 06:18

1 Answers1

2

You seem to be confused between "importing" and "generating" the certificate.

You openssl s_client command doesn't generate the certificate, it retrieves the certificate in use on that server.

The keytool -import command you use afterwards imports that certificate, as it is, into your truststore. There is no point using -ext san=ip:xxx.xx.xx.xx there: you're not generating the certificate, you're only importing it.

If you're in control of that server, you should generate (or get a certificate from somewhere else) with an IP address SAN (since Java follows the specification strictly on this).

If you're not in control of that server, use its host name (provided that there is at least a CN matching that host name in the existing cert).

In general, it's not great to import directly a certificate obtained solely from a server like this into your trust store, since you're assuming that that particular connection wasn't tampered with.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • If I'm not in the control of the server, what exactly can I do in order to avoid the problem of the topic starter? I posted a description of what I did here - http://stackoverflow.com/questions/19540289/how-to-fix-the-java-security-cert-certificateexception-no-subject-alternative . – Glory to Russia Oct 23 '13 at 11:40