CertificateException：不存在主题替代名称 [英] CertificateException: No subject alternative names present

问题描述

我在调用https webservice时遇到异常。

I am getting following exception while calling https webservice.

com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present.

我从Java代码调用php webservice。 CN（通用名称），即证书上的IP地址和我呼叫的IP地址是不同的。我已经在java的密钥库中添加了证书。
有人可以帮我解释为什么会这样吗？我哪里错了？
CN是服务器IP地址。我因为防火墙问题而使用外部IP地址来调用该服务器。

I am calling a php webservice from Java code. The CN (Common Name) i.e. the IP address on certificate and the IP address I am calling are different. I have added the certificate in keystore of java. Can someone help me out why this is happening? Where I am going wrong? The CN is the server IP address. I am calling that server using its external IP address given too us because of firewall issue.

推荐答案

CN（通用名称）即证书上的IP不同，我呼叫的IP也不同。

The CN (Common name) i.e. IP on certificate is different and the IP i am calling is different.

...

HTTP传输错误：javax.net.ssl.SSLHandshakeException：java.security.cert.CertificateException：不存在主题替代名称。

HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present.

当公共名称（CN）中存在名称时，必须也出现在主题备用名称（SAN）中。您的证书格式不正确（可能还有其他问题）。请参阅公开和管理公开信任证书的基本要求，第9节（第9页和第9页） ; 10）：

When a name is present in the Common Name (CN), it must also be present in the Subject Alternate Name (SAN). You have a malformed certificate (and it might have other problems). See Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 9 (pages 9 & 10):

9.2.2主题公共名称字段

9.2.2 Subject Common Name Field

证书字段：subject：commonName（OID 2.5.4.3）

Certificate Field: subject:commonName (OID 2.5.4.3)

必填/可选：不推荐使用（不鼓励，但不禁止）

Required/Optional: Deprecated (Discouraged, but not prohibited)

内容：如果存在，该字段必须包含单个IP地址或
完全限定域名，它是
证书的subjectAltName扩展中包含的值之一（参见第9.2.1节）。 / p>

Contents: If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 9.2.1).

Bruno可能会引用RFC 6125中的相关部分。

Bruno can probably cite the relevant section from RFC 6125.

这篇关于CertificateException：不存在主题替代名称的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！