问题
I want to create a web service client using wsdl2java utility. I have to connect to this server over SSL
This wsdl looks like this:
https://xxx.xx.xx.xx:8443/api/wsdl/xxxxxxx.wsdl
I generated the certificate using:
openssl s_client -connect xxx.xx.xx.x:8443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > abcCertificate.pem
and added it to keystore using:
keytool -import -noprompt -trustcacerts -alias testcert -file abcCertificate.pem -keystore /usr/java/jdk1.7.0_06/jre/lib/security/cacerts -ext san=ip:xxx.xx.xx.xx
When I try to use wsdl2java to create the web service client, it throws exception:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
I use these information from this link.
回答1:
You seem to be confused between "importing" and "generating" the certificate.
You openssl s_client command doesn't generate the certificate, it retrieves the certificate in use on that server.
The keytool -import command you use afterwards imports that certificate, as it is, into your truststore. There is no point using -ext san=ip:xxx.xx.xx.xx there: you're not generating the certificate, you're only importing it.
If you're in control of that server, you should generate (or get a certificate from somewhere else) with an IP address SAN (since Java follows the specification strictly on this).
If you're not in control of that server, use its host name (provided that there is at least a CN matching that host name in the existing cert).
In general, it's not great to import directly a certificate obtained solely from a server like this into your trust store, since you're assuming that that particular connection wasn't tampered with.
来源:https://stackoverflow.com/questions/12792586/no-subject-alternative-names-present-exception-when-creating-web-service-client