asked on

If I generate a self signed certificate, does it need to be imported to the truststore on the same host?

Hi,
If I generate a self signed certificate from host ABC, does the certificate need to be imported to the truststore on the same host ABC to do a url openconnection https://ABC?

When i do a url.openConnection("https://ABC")
I am getting javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

But if I try to import the generated self-signed certificate using keytool, it says
keytool error: java.lang.Exception: Certificate reply and certificate in keystore are identical
java.lang.Exception: Certificate reply and certificate in keystore are identical

Thanks
Jamie

ASKER CERTIFIED SOLUTION

mrcoffee365

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jamie_lynn

ASKER

ABC is just an example hostname. My real hostname is different. My domain and hostname are fine.

I set the alias using keytool as the FQDN.

What do you mean by chrome browser has a serious deficiencies in this area?

Thanks
Jamie

jamie_lynn

ASKER

I am using command below to import the certificate.

keytool -import -v -trustcacerts -keystore mykeystore.ks -alias ABC.corp.com -file /tmp/abc.der -keypass changeit -storepass changeit

Am i missing something?

Thanks
Jamie

jamie_lynn

ASKER

I found out why.. I was using the ipaddress on the URL instead of the DNS hostname that is the CN in the certificate.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
means that hostname used and the CN didn't match

Thanks!

mrcoffee365

Yes, as I responded to you above: "You'll get this error if you use an IP address as the CN name in your cert as well."

Good luck!