创建证书时 IP 地址作为主机名 (CN)?(HTTPS 主机名错误:应该是 <ipAddress>) [英] IP address as hostname (CN) when creating a certificate? (HTTPS hostname wrong: should be &lt;ipAddress&gt;)

问题描述

可能的重复:
SSL证书服务器名称如何已解决/我可以使用 keytool 添加替代名称吗?

我创建了一个证书并将 CN 设置为我的服务器的 IP 地址，格式为 xxx.xxx.xxx.xxx.但是当我尝试在 Java 中运行我的代码时，我收到了一个 HTTPS 主机名错误:应该是 <xxx.xxx.xxx.xx> 错误消息.

I created a certificate and set the CN to the IP address of my server which is in xxx.xxx.xxx.xxx format. But when I try to run my code in Java, I'm getting a HTTPS hostname wrong: should be <xxx.xxx.xxx.xx> error message.

可能有什么问题?我确定我正在连接到正确的 IP 地址.但是，我没有在证书上指定服务器的端口.为 CN 提供值时是否需要端口?但是我使用 https 的默认端口是 8443.另外，我尝试将我的 CN 从我的服务器的 IP 地址更改为localhost".它在那之后工作.我在想 CN 部分是否不接受 IP 地址作为值?

What could be wrong? I'm sure that I'm connecting to the correct IP address. However, I did not specify the port of the server on the certificate. Is the port required when supplying the value for CN? But I'm using the default port for https which is 8443. Also, I tried changing my CN from the IP address of my server to "localhost". It works after that. I'm thinking if the CN part does not accept an IP address as value?

你能解释一下 CN 是如何工作的，它需要什么值吗?

Can you please explain how the CN works and what are the required value for it?

谢谢！

推荐答案

您需要放入证书的身份必须是您通过 URL 查找的身份.例如，如果您使用的是 https://www.example.net，则您的证书需要对 www.example.net 有效；如果您使用的是 https://10.0.0.1/，则您的证书需要对 10.0.0.1 有效.

The identity you need to put in the certificate needs to be the one you're looking for via the URL. For example, if you're using https://www.example.net, your certificate needs to be valid for www.example.net; if you're using https://10.0.0.1/, your certificate needs to be valid for 10.0.0.1.

证书主题 DN 中的通用名称 RDN 通常仅在 (a) 没有主题备用名称 DNS 条目和 (b) 查找主机名而非 IP 地址时使用.这在 RFC 2818 第 3.1 节中定义:

The Common Name RDN in the Subject DN of the certificate is normally only used when (a) there is no Subject Alternative Name DNS entry and (b) it's looking for a host name, not an IP address. This is defined in RFC 2818 Section 3.1:

如果存在 dNSName 类型的 subjectAltName 扩展，则必须将其用作标识.否则，(最具体的)Common必须使用证书主题字段中的名称字段.虽然通用名称的使用是现有的做法，但它是已弃用，并鼓励证书颁发机构使用改为 dNSName.

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

[...]

在某些情况下，URI 被指定为 IP 地址而不是主机名.在这种情况下，必须存在 iPAddress subjectAltName在证书中，并且必须与 URI 中的 IP 完全匹配.

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

一般情况下，不建议在证书中使用IP地址(参见RFC 6125.但是，如果您确实需要，则需要一个证书，其 IP 地址是 IP 地址类型的 SAN 条目，您可以按照 这个答案.

In general, using IP address in certificates is not recommended (see problems mentioned in RFC 6125. However, if you really need to, you'll need a certificate with the IP address is a SAN entry of IP address type, which you can generate as described in this answer.

这篇关于创建证书时 IP 地址作为主机名 (CN)?(HTTPS 主机名错误:应该是 <ipAddress>)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！