在证书名称中使用IP地址的例外 [英] Exception on using IP address in certificate name

问题描述

原因：javax.net.ssl.SSLPeerUnverifiedException：主机名
97.xx.xxx.xxx未验证：
证书：sha256 / tjx1IRiuC1TmxlIIhW8FWOxoaFoY2E3mECOgtGW0Jqk =
DN：O = Internet Widgits Pty Ltd，ST = Some-State，C = AU
subjectAltNames：[97.xx.xxx.xxx]

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname 97.xx.xxx.xxx not verified: certificate: sha256/tjx1IRiuC1TmxlIIhW8FWOxoaFoY2E3mECOgtGW0Jqk= DN: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU subjectAltNames: [97.xx.xxx.xxx]

证书详细信息

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            XXXXXXX
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Apr 22 17:42:36 2019 GMT
            Not After : Apr 20 17:42:36 2024 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    XXXXX
                Exponent: XXX
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:XXXXX

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:97.XX.XXX.XXX
    Signature Algorithm: sha256WithRSAEncryption
         XXXXXX

我在将证书与IP地址。我还要用IP地址创建证书吗？ 主机名未通过验证的原因是什么：异常

I am getting the above error on using the certificate with IP address. Is there something else I am supposed to do for creating a certificate with Ip address? What are the reasons for the Hostname not verified: exception

推荐答案

I能够按照Steffen在评论中的建议使其工作，我将域IP地址添加到类型为IP的subjectAltName。

I was able to get it to work as suggested by Steffen in the comments, I added the domain IP address to subjectAltName with type IP.

openssl x509 -req -in certificate_sign_req.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out signed_certificate.crt -days 1825 -sha256 -extfile <(cat <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = ${domain}
EOF
)

这篇关于在证书名称中使用IP地址的例外的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！