2

Basically, I have a Test server (Linux based) with a public IP bot no public hostname. So I am trying to create ssl certificates for it using IP address. So that my Java application can access another application using the IP address: For example like: 

https://210.10.10.10:8443/abc

I followed below post: How are SSL certificate server names resolved/Can I add alternative names using keytool?

I did try both the ways as suggested to avoid this exception but non is working. I am getting the same error.

  1. I tried Editing the "openssl.cnf" and adding the :

     [req]
  req_extensions = v3_req

 [ v3_req ]

  # Extensions to add to a certificate request
  subjectAltName=IP:210.10.10.10
  # or subjectAltName=DNS:www.example.com

  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment

2. And also tried Using the Java 1.7 keytool:

Like creating (Created in windows having java 1.7 and copied all certs and jks files to Linx server env, running on java 1.6) :

    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore myServerKeystore2.jks -srckeystore serverCertAsPK12.p12  -srcstoretype PKCS12 -alias servercertificate -ext SAN=ip:210.10.10.10

I have my environment setup is like below : Server is Linux (CentOS), Tomcat 6, JDK 1.6, Application is JAVA application Used Openssl to create all certificates and JKS

Still Getting java.security.cert.CertificateException: No subject alternative names Exception.

Then I tried to create the JKS files and imported into default javastore file (cacerts) using the keytool (in Java 1.7 env) on windows machine and exported these JKS and cacert file to Linux server.

Then also Still Getting java.security.cert.CertificateException: No subject alternative names Exception.

------- Updated below on 19 June on reply to Bruno ---------

Below is my tomcat server.xml settings :

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           truststoreFile="/usr/local/apache-tomcat-6.0.37/conf/cacerts.jks" truststorePass="changeit"
           keystoreFile="/usr/local/apache-tomcat-6.0.37/conf/myServerKeystore2.jks" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS" />

Where "cacerts.jks" is my client keystore file and "myServerKeystore2.jks" is my server keystore file.

I have followed each step on this tutorial to create ssl certificates using openssl.

Please help.

Community
  • 1
  • 1
Shibaram Sahoo
  • 31
  • 1
  • 1
  • 6
  • Can you check that the server is configured properly with that certificate? You can check this with `openssl s_client -connect 210.10.10.10:8443 | openssl x509 -text -noout`. There should be a "X509v3 Subject Alternative Name" section in the text, with the correct IP address. – Bruno Jun 18 '13 at 14:47
  • Yes, I have configured the server properly (updated with server settings above in my question). I tested the https://:8443/ and I got the tomcat default page running with the SSL. – Shibaram Sahoo Jun 20 '13 at 08:02
  • @Bruno, This is what I got when fired first part of the above command: https://gist.github.com/shibaram/ead04e9145a94f3005b3 – Shibaram Sahoo Jun 20 '13 at 08:05
  • Are you sure you've copied the whole cert (between BEGIN/END)? It doesn't seem to be readable. If you try with the second part of the command, can you see that SAN? – Bruno Jun 20 '13 at 08:29
  • "*Where "cacerts.jks" is my client keystore file*": this shouldn't be your client keystore, but a different keystore that doesn't contain the client's private key. – Bruno Jun 20 '13 at 08:29
  • I am new to SSL stuff. So I followed the tutorials, and some sites suggested to use the clientcert so used "cacerts.jks" as my client keystore in the server.xml. I don't see any SAN in the result. Here is the result I got when run the command openssl s_client -connect 210.10.10.10:8443 | openssl x509 -text -noout ::: https://gist.github.com/shibaram/5829306 – Shibaram Sahoo Jun 21 '13 at 06:41

0 Answers0