创建Web服务客户端时，主题备用名称不会出现异常 [英] No subject alternative names present exception when creating web service client

问题描述

我想使用wsdl2java实用程序创建一个Web服务客户端. 我必须通过SSL连接到该服务器

I want to create a web service client using wsdl2java utility. I have to connect to this server over SSL

这个wsdl看起来像这样:

This wsdl looks like this:

https://xxx.xx.xx.xx:8443/api/wsdl/xxxxxxx.wsdl

我使用以下方法生成了证书:

I generated the certificate using:

openssl s_client -connect xxx.xx.xx.x:8443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > abcCertificate.pem

并使用以下命令将其添加到密钥库中:

and added it to keystore using:

keytool -import -noprompt -trustcacerts -alias testcert -file abcCertificate.pem -keystore /usr/java/jdk1.7.0_06/jre/lib/security/cacerts -ext san=ip:xxx.xx.xx.xx

当我尝试使用wsdl2java创建 web服务客户端时，它引发异常:

When I try to use wsdl2java to create the web service client, it throws exception:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

我使用这些信息 从此链接.. >

I use these information from this link.

推荐答案

您似乎在导入"和生成"证书之间感到困惑.

You seem to be confused between "importing" and "generating" the certificate.

您openssl s_client命令不会生成证书，它会检索该服务器上正在使用的证书.

You openssl s_client command doesn't generate the certificate, it retrieves the certificate in use on that server.

此后使用的keytool -import命令将该证书按原样导入到信任库中.在那里使用-ext san=ip:xxx.xx.xx.xx毫无意义:您没有生成证书，只是导入了它.

The keytool -import command you use afterwards imports that certificate, as it is, into your truststore. There is no point using -ext san=ip:xxx.xx.xx.xx there: you're not generating the certificate, you're only importing it.

如果您控制该服务器，则应使用IP地址SAN生成(或从其他位置获取证书)(因为

If you're in control of that server, you should generate (or get a certificate from somewhere else) with an IP address SAN (since Java follows the specification strictly on this).

如果您不受该服务器的控制，请使用其主机名(前提是在现有证书中至少有一个与该主机名匹配的CN).

If you're not in control of that server, use its host name (provided that there is at least a CN matching that host name in the existing cert).

通常，将仅从这样的服务器获得的证书直接导入到信任库中并不是很好，因为您假设该特定连接未被篡改.

In general, it's not great to import directly a certificate obtained solely from a server like this into your trust store, since you're assuming that that particular connection wasn't tampered with.

这篇关于创建Web服务客户端时，主题备用名称不会出现异常的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！