证书中的主机名不匹配
[英]Hostname in certificate didn't match
问题描述
I have generated certificate into keycloak with following command 
我已经使用以下命令将证书生成到密钥斗篷中
keytool -genkey -alias initcert -keyalg RSA -keystore keycloak.jks -validity 365 -keysize 2048
and below is output of above command 以下是上述命令的输出
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: initcert
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <initcert>
(RETURN if same as keystore password):
Re-enter new password:
after this export the export into the keycloak 在此之后,将导出导出到密钥斗篷中
keytool -export -noprompt -trustcacerts -keystore keycloak.jks -alias initcert -file keycloak.cer -storepass keycloak
Now after all this used same certificate files into the Windows10 client machine and import in Java like this 现在所有这些都使用了相同的证书文件到Windows10客户端计算机中,并像这样在Java中导入
keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
but when trying to connect with keycloak from JBoss server i am getting 但是当尝试从JBoss服务器连接keycloak时
hostname in certificate didn't match: <135.280.198.150> !=
In Jboss server's standalone file added 在Jboss服务器的独立文件中添加
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ssl" key-alias="initcert" password="keycloak" certificate-key-file="C:\Users\user\Documents\MyFiles\New\keycloak.jks" protocol="TLSv1,SSLv3,SSLv2" verify-client="false"/>
Just FYI Keycloak is pointing to OpenJDK while client machine Oracle JDK. 当客户端计算机Oracle JDK时,只是FYI Keycloak指向OpenJDK。
I tried following command in the same machine where certificate generated and it is giving proper results. 我在生成证书的同一台计算机上尝试了以下命令,并且给出了正确的结果。
keytool -list -v -alias initcert -storepass keycloak -keystore keycloak.jks
Result of above command 上面命令的结果
Alias name: initcert
Creation date: Jan 9, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2bb3190d
Valid from: Tue Jan 09 09:52:46 IST 2018 until: Wed Jan 09 09:52:46 IST 2019
Certificate fingerprints:
MD5: EF:A3:91:B8:B0:1C:61:F4:9D:9C:D6:05:37:D2:13:7D
SHA1: 73:A1:DF:15:17:1F:0E:34:0C:44:ED:46:90:24:4E:75:F1:0E:BD:48
SHA256: BE:5A:FE:06:97:E4:1C:55:14:E4:17:01:DD:02:76:88:44:7D:E5:39:4E:3C:5A:03:12:DD:3E:88:C1:96:9C:D2
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 57 CC B8 39 1C C9 1A 1A EE 74 72 90 99 89 8D .W..9.....tr....
0010: 60 90 F3 A3 `...
]
]
1 个解决方案
解决方案1
1 2018-01-11 06:29:59
It's true that you have to provide the correct full qualified domain name (FQDN) of your server in the certificate. 确实,您必须在证书中提供服务器的正确全限定域名(FQDN)。 However, setting the CN in the certificate's subject is actually not correct, but still supported by many implementations. 但是,在证书的主题中设置CN实际上是不正确的,但是许多实现仍支持该设置。
The correct way to set the server name (or IP address) in a X.509 certificate is the Subject Alternative Name (SAN) . 在X.509证书中设置服务器名称(或IP地址)的正确方法是Subject Alternative Name (SAN) 。
See how to add subject alernative name to ssl certs? 请参阅如何将主题别名添加到ssl证书? and RFC-5280 for more information. 和RFC-5280了解更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.