如何将主题替代名称添加到 ssl 证书? [英] How to add subject alernative name to ssl certs?

问题描述

我正在使用 openssl 来创建自签名证书.我生成的证书出现此错误:

I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:

javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:没有主题替代名称礼物

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

有谁知道如何在创建证书时指定主题备用名称"?这就是我生成密钥库的方式:

Does anyone know how to specify "Subject alternative name" while creating a cert? This is how I'm generating a keystore:

sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd

生成密钥:

 openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null

请帮忙！谢谢！

推荐答案

虽然这个问题更具体地与 IP 地址有关在主题 Alt.名称，命令类似(使用 DNS 条目作为主机名，IP 条目作为 IP 地址).

Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS entries for a host name and IP entries for IP addresses).

引用我自己的话:

如果您使用 keytool，从 Java 7, keytool 有一个选项包括主题备用名称(请参阅文档中的表格对于 -ext):您可以使用 -ext san=dns:www.example.com 或 -extsan=ip:10.0.0.1

If you're using keytool, as of Java 7, keytool has an option to include a Subject Alternative Name (see the table in the documentation for -ext): you could use -ext san=dns:www.example.com or -ext san=ip:10.0.0.1

请注意，您只需要 Java 7 的 keytool 即可使用此命令.准备好密钥库后，它应该可以与以前版本的 Java 一起使用.

Note that you only need Java 7's keytool to use this command. Once you've prepared your keystore, it should work with previous versions of Java.

(这个答案的其余部分也提到了如何使用 OpenSSL 来做到这一点，但它似乎不是你正在使用的.)

(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)

这篇关于如何将主题替代名称添加到 ssl 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！