证书中的主机名与

时间:2018-01-09 07:02:52

标签: java ssl jboss keycloak

我已使用以下命令

将证书生成到keycloak中 
keytool -genkey -alias initcert  -keyalg  RSA  -keystore keycloak.jks  -validity 365  -keysize 2048

及以下是上述命令的输出

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  initcert
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <initcert>
        (RETURN if same as keystore password):
Re-enter new password:

之后将导出导出到keycloak 

keytool -export -noprompt -trustcacerts -keystore keycloak.jks -alias initcert -file keycloak.cer -storepass keycloak

现在所有这些都将相同的证书文件用于Windows10客户端计算机并像Java一样用Java导入

keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"

但是当我尝试从JBoss服务器连接keycloak时,我正在

  证书中的

主机名不匹配:&lt; 135.280.198.150&gt; !=

在Jboss服务器的独立文件中添加了

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                <ssl name="ssl" key-alias="initcert" password="keycloak" certificate-key-file="C:\Users\user\Documents\MyFiles\New\keycloak.jks" protocol="TLSv1,SSLv3,SSLv2" verify-client="false"/>

只是FYI Keycloak指向OpenJDK而客户端机器Oracle JDK。

我在生成证书的同一台机器上尝试了以下命令,并且它正在给出正确的结果。

keytool -list -v -alias initcert -storepass keycloak -keystore keycloak.jks

上述命令的结果

Alias name: initcert
Creation date: Jan 9, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2bb3190d
Valid from: Tue Jan 09 09:52:46 IST 2018 until: Wed Jan 09 09:52:46 IST 2019
Certificate fingerprints:
         MD5:  EF:A3:91:B8:B0:1C:61:F4:9D:9C:D6:05:37:D2:13:7D
         SHA1: 73:A1:DF:15:17:1F:0E:34:0C:44:ED:46:90:24:4E:75:F1:0E:BD:48
         SHA256: BE:5A:FE:06:97:E4:1C:55:14:E4:17:01:DD:02:76:88:44:7D:E5:39:4E:3C:5A:03:12:DD:3E:88:C1:96:9C:D2
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 57 CC B8 39 1C C9 1A   1A EE 74 72 90 99 89 8D  .W..9.....tr....
0010: 60 90 F3 A3                                        `...
]
]

1 个答案:

答案 0 :(得分:1)

确实,您必须在证书中提供服务器的正确完全限定域名(FQDN)。但是,在证书主题中设置CN实际上是不正确的,但仍然受到许多实现的支持 在X.509证书中设置服务器名称(或IP地址)的正确方法是Subject Alternative Name (SAN)how to add subject alernative name to ssl certs?RFC-5280了解更多信息。

相关问题
最新问题