创建证书时IP地址作为主机名(CN)? (HTTPS主机名错误:应该是< ipAddress>) [英] IP address as hostname (CN) when creating a certificate? (HTTPS hostname wrong: should be <ipAddress>)
问题描述
可能重复:
如何解析SSL证书服务器名称/我可以使用keytool添加备用名称吗?
我创建了一个证书,并将CN设置为我的服务器的IP地址,格式为xxx.xxx.xxx.xxx。但是当我尝试在Java中运行我的代码时,我得到一个 HTTPS主机名错误:应该是< xxx.xxx.xxx.xx> 错误消息。
可能出现什么问题?我确定我正在连接到正确的IP地址。但是,我没有在证书上指定服务器的端口。在为CN提供价值时是否需要端口?但我正在使用https的默认端口8443.此外,我尝试将CN从服务器的IP地址更改为localhost。它在那之后工作。我在想是否CN部分不接受IP地址作为值?
您能解释一下CN的工作原理以及它所需的值是多少? / p>
谢谢!
您需要在证书中加入的身份需要通过URL找到你要找的那个。例如,如果您使用 https://www.example.net ,则您的证书必须对 www.example.net <有效/ code>;如果你使用 https://10.0.0.1/ ,你的证书必须对 10.0.0.1 有效。
证书的主题DN中的公共名称RDN通常仅在以下情况下使用:(a)没有主题备用名称DNS条目和(b)它正在寻找主机名,而不是IP地址。这在 RFC 2818第3.1节中定义:
如果存在类型为dNSName的subjectAltName扩展名,则必须将其用作标识。否则,必须使用证书的Subject字段中的(最具体的)Common
Name字段。
尽管使用公共名称是现有做法,但不推荐使用
,并且鼓励证书颁发机构使用
dNSName。
[...]
在某些情况下,URI被指定为IP地址而不是主机名。在这种情况下,iPAddress subjectAltName必须在证书中出现
,并且必须与URI中的IP完全匹配。
通常,不建议在证书中使用IP地址(请参阅 RFC 6125中提到的问题) 。但是,如果您确实需要,则需要IP地址的证书是IP地址类型的SAN条目,您可以按照这个答案。
Possible Duplicate:
How are SSL certificate server names resolved/Can I add alternative names using keytool?
I created a certificate and set the CN to the IP address of my server which is in xxx.xxx.xxx.xxx format. But when I try to run my code in Java, I'm getting a HTTPS hostname wrong: should be <xxx.xxx.xxx.xx> error message.
What could be wrong? I'm sure that I'm connecting to the correct IP address. However, I did not specify the port of the server on the certificate. Is the port required when supplying the value for CN? But I'm using the default port for https which is 8443. Also, I tried changing my CN from the IP address of my server to "localhost". It works after that. I'm thinking if the CN part does not accept an IP address as value?
Can you please explain how the CN works and what are the required value for it?
Thanks!
The identity you need to put in the certificate needs to be the one you're looking for via the URL. For example, if you're using https://www.example.net, your certificate needs to be valid for www.example.net; if you're using https://10.0.0.1/, your certificate needs to be valid for 10.0.0.1.
The Common Name RDN in the Subject DN of the certificate is normally only used when (a) there is no Subject Alternative Name DNS entry and (b) it's looking for a host name, not an IP address. This is defined in RFC 2818 Section 3.1:
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
[...]
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
In general, using IP address in certificates is not recommended (see problems mentioned in RFC 6125. However, if you really need to, you'll need a certificate with the IP address is a SAN entry of IP address type, which you can generate as described in this answer.
这篇关于创建证书时IP地址作为主机名(CN)? (HTTPS主机名错误:应该是< ipAddress>)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
