Solved

If I generate a self signed certificate, does it need to be imported to the truststore on the same host?

Posted on 2013-01-08
5
2,502 Views
Last Modified: 2013-01-11
Hi,
If I generate a self signed certificate from host ABC, does the certificate need to be imported to the truststore on the same host ABC to do a url openconnection https://ABC?

When i do a url.openConnection("https://ABC")
I am getting  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

But if I try to import the generated self-signed certificate using keytool, it says
keytool error: java.lang.Exception: Certificate reply and certificate in keystore are identical
java.lang.Exception: Certificate reply and certificate in keystore are identical

Thanks
Jamie
0
Comment
Question by:jamie_lynn
  • 3
  • 2
5 Comments
 
LVL 27

Accepted Solution

by:
mrcoffee365 earned 500 total points
ID: 38759412
Can't quite tell from your description.  Did you follow the instructions on the tomcat site for using self-signed certs?
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Did you actually create a domain name called "ABC"?  Because usually that will not work -- it has to have a name like "abc.com" for the cert to get applied correctly.  You'll get this error if you use an IP address as the CN name in your cert as well.

This all works if you add your fake domain to your hosts file
127.0.0.1 www.myabc.com

Then create a cert for www.myabc.com as if it were a normal cert (using keytool).  Don't identify it as "localhost" or other shorthand names.

Then use that keystore as Tomcat's ssl keystore.  We do this all the time and it's fine.

Except for the chrome browser, which has serious deficiencies in this area.  But Firefox and even IE are fine.
0
 

Author Comment

by:jamie_lynn
ID: 38765107
ABC is just an example hostname. My real hostname is different. My domain and hostname are fine.

I set the alias using keytool as the FQDN.

What do you mean by chrome browser has a serious deficiencies in this area?

Thanks
Jamie
0
 

Author Comment

by:jamie_lynn
ID: 38765173
I am using command below to import the certificate.

keytool -import -v -trustcacerts -keystore mykeystore.ks -alias ABC.corp.com -file /tmp/abc.der -keypass changeit -storepass changeit

Am i missing something?

Thanks
Jamie
0
 

Author Comment

by:jamie_lynn
ID: 38765476
I found out why.. I was using the ipaddress on the URL instead of the DNS hostname that is the CN in the certificate.

 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
means that hostname used and the CN didn't match

Thanks!
0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 38765882
Yes, as I responded to you above: "You'll get this error if you use an IP address as the CN name in your cert as well."

Good luck!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
topping1 challenge 7 72
couple of eclipse 5 21
servlet example issue 6 29
arguments to jar 5 13
After being asked a question last year, I went into one of my moods where I did some research and code just for the fun and learning of it all.  Subsequently, from this journey, I put together this article on "Range Searching Using Visual Basic.NET …
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
The viewer will learn how to implement Singleton Design Pattern in Java.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now