Java's keytool command with IP addresses

java ssl keystore keytool
12,452

Solution 1

This snippet might work for you:

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;

HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String urlHostName, SSLSession session) {
        System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
        return true;
    }
};

HttpsURLConnection.setDefaultHostnameVerifier(hv);

If you do try this code, and it doesn't work, please post what is printed for urlHostName and session.getPeerHost().

Also, why does having Windows and Linux boxes interoperating require the use of IP addresses rather than hostnames?

Solution 2

To acutally generate a valid certificate using keytool, use:

keytool -keystore keystore.jks -genkey -ext SAN=IP:{IP_ADDRESS}

e.g.:

keytool -keystore keystore.jks -genkey -ext SAN=IP:192.168.1.1

Solution 3

The HTTPS specification (RFC 2818) is quite clear about the server identity verification with an IP address: a Subject Alternative Name (IP) entry must be present in the certificate (whereas the CN in the Subject DN would suffice as a fallback solution for a host name).

Although not all clients (in particular not all browsers) implement this verification strictly, Java default host name verifier does.

Creating a certificate with an IP SAN entry can be done with OpenSSL for example or (not available at the time this question was asked/answered), using Java 7's keytool.

See this question for details: How are SSL certificate server names resolved/Can I add alternative names using keytool?

Share:
12,452
Jon
Author by

Jon

Updated on June 04, 2022

Comments

  • Jon
    Jon almost 2 years

    I'm trying to get an image via an https URL, and am having some problems. I generate a keystore with Java's keytool command. If I specify the common name (CN) equal to my hostname, such as CN=JONMORRA, and then try to query via my hostname, such as https://JONMORRA:8443/ then it works fine. However, if I specify the common name as my ip address, such that CN=192.168.56.1, and try to query via my ip address, such as https://192.168.56.1:8443/ then I get an error

    HTTPS hostname wrong: should be <192.168.56.1>

    Which is stating that my hostname is wrong, even though that's what I specified in the keystore.

    I would like to use ip addresses instead of hostnames so I can query between Linux and Windows boxes without worrying about hostnames.

    Why is the CN not accepting ip addresses, and how can I fix it?

    Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I import a PKCS12 certificate into a java keystore?
keytool error: java.lang.Exception: Keystore file exists, but is empty
Add Self Signed Certificate without promting Yes/No from User
How to create keystore and truststore using self-signed certificate?
Mongo SSL with Java Exception sending message
WebLogic SSL: No identity key/certificate entry was found under alias in keystore
Where the KeyStore password and key password stored
Copying java keystore
How to automatically install self signed certificate in IE Trusted Root Certification Authorities store
Java exception client authentication TLS: password must not be null