Hostname in certificate didn't match

Question

I have generated certificate into keycloak with following command

keytool -genkey -alias initcert  -keyalg  RSA  -keystore keycloak.jks  -validity 365  -keysize 2048

and below is output of above command

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  initcert
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <initcert>
        (RETURN if same as keystore password):
Re-enter new password:

after this export the export into the keycloak

keytool -export -noprompt -trustcacerts -keystore keycloak.jks -alias initcert -file keycloak.cer -storepass keycloak

Now after all this used same certificate files into the Windows10 client machine and import in Java like this

keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"

but when trying to connect with keycloak from JBoss server i am getting

hostname in certificate didn't match: <135.280.198.150> !=

In Jboss server's standalone file added

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                <ssl name="ssl" key-alias="initcert" password="keycloak" certificate-key-file="C:\Users\user\Documents\MyFiles\New\keycloak.jks" protocol="TLSv1,SSLv3,SSLv2" verify-client="false"/>

Just FYI Keycloak is pointing to OpenJDK while client machine Oracle JDK.

I tried following command in the same machine where certificate generated and it is giving proper results.

keytool -list -v -alias initcert -storepass keycloak -keystore keycloak.jks

Result of above command

Alias name: initcert
Creation date: Jan 9, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2bb3190d
Valid from: Tue Jan 09 09:52:46 IST 2018 until: Wed Jan 09 09:52:46 IST 2019
Certificate fingerprints:
         MD5:  EF:A3:91:B8:B0:1C:61:F4:9D:9C:D6:05:37:D2:13:7D
         SHA1: 73:A1:DF:15:17:1F:0E:34:0C:44:ED:46:90:24:4E:75:F1:0E:BD:48
         SHA256: BE:5A:FE:06:97:E4:1C:55:14:E4:17:01:DD:02:76:88:44:7D:E5:39:4E:3C:5A:03:12:DD:3E:88:C1:96:9C:D2
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 57 CC B8 39 1C C9 1A   1A EE 74 72 90 99 89 8D  .W..9.....tr....
0010: 60 90 F3 A3                                        `...
]
]

Answer 1

It's true that you have to provide the correct full qualified domain name (FQDN) of your server in the certificate. However, setting the CN in the certificate's subject is actually not correct, but still supported by many implementations.
The correct way to set the server name (or IP address) in a X.509 certificate is the Subject Alternative Name (SAN).
See how to add subject alernative name to ssl certs? and RFC-5280 for more information.