If I generate a self signed certificate, does it need to be imported to the truststore on the same host?

Hi,
If I generate a self signed certificate from host ABC, does the certificate need to be imported to the truststore on the same host ABC to do a url openconnection https://ABC?

When i do a url.openConnection("https://ABC")
I am getting  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

But if I try to import the generated self-signed certificate using keytool, it says
keytool error: java.lang.Exception: Certificate reply and certificate in keystore are identical
java.lang.Exception: Certificate reply and certificate in keystore are identical

Thanks
Jamie
jamie_lynnAsked:
Who is Participating?
 
mrcoffee365Connect With a Mentor Commented:
Can't quite tell from your description.  Did you follow the instructions on the tomcat site for using self-signed certs?
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Did you actually create a domain name called "ABC"?  Because usually that will not work -- it has to have a name like "abc.com" for the cert to get applied correctly.  You'll get this error if you use an IP address as the CN name in your cert as well.

This all works if you add your fake domain to your hosts file
127.0.0.1 www.myabc.com

Then create a cert for www.myabc.com as if it were a normal cert (using keytool).  Don't identify it as "localhost" or other shorthand names.

Then use that keystore as Tomcat's ssl keystore.  We do this all the time and it's fine.

Except for the chrome browser, which has serious deficiencies in this area.  But Firefox and even IE are fine.
0
 
jamie_lynnAuthor Commented:
ABC is just an example hostname. My real hostname is different. My domain and hostname are fine.

I set the alias using keytool as the FQDN.

What do you mean by chrome browser has a serious deficiencies in this area?

Thanks
Jamie
0
 
jamie_lynnAuthor Commented:
I am using command below to import the certificate.

keytool -import -v -trustcacerts -keystore mykeystore.ks -alias ABC.corp.com -file /tmp/abc.der -keypass changeit -storepass changeit

Am i missing something?

Thanks
Jamie
0
 
jamie_lynnAuthor Commented:
I found out why.. I was using the ipaddress on the URL instead of the DNS hostname that is the CN in the certificate.

 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
means that hostname used and the CN didn't match

Thanks!
0
 
mrcoffee365Commented:
Yes, as I responded to you above: "You'll get this error if you use an IP address as the CN name in your cert as well."

Good luck!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.