Fatal编程技术网
  • java/
  • Java 证书中的主机名没有';不匹配

Java 证书中的主机名没有';不匹配

java ssl jboss keycloak

Java 证书中的主机名没有';不匹配,java,ssl,jboss,keycloak,Java,Ssl,Jboss,Keycloak,我已使用以下命令将证书生成到keydove中 keytool -genkey -alias initcert -keyalg RSA -keystore keycloak.jks -validity 365 -keysize 2048 下面是上述命令的输出 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: initcert What is th

我已使用以下命令将证书生成到keydove中

keytool -genkey -alias initcert  -keyalg  RSA  -keystore keycloak.jks  -validity 365  -keysize 2048
下面是上述命令的输出

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  initcert
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <initcert>
        (RETURN if same as keystore password):
Re-enter new password:

Alias name: initcert
Creation date: Jan 9, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2bb3190d
Valid from: Tue Jan 09 09:52:46 IST 2018 until: Wed Jan 09 09:52:46 IST 2019
Certificate fingerprints:
         MD5:  EF:A3:91:B8:B0:1C:61:F4:9D:9C:D6:05:37:D2:13:7D
         SHA1: 73:A1:DF:15:17:1F:0E:34:0C:44:ED:46:90:24:4E:75:F1:0E:BD:48
         SHA256: BE:5A:FE:06:97:E4:1C:55:14:E4:17:01:DD:02:76:88:44:7D:E5:39:4E:3C:5A:03:12:DD:3E:88:C1:96:9C:D2
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 57 CC B8 39 1C C9 1A   1A EE 74 72 90 99 89 8D  .W..9.....tr....
0010: 60 90 F3 A3                                        `...
]
]
现在,在所有这些之后,使用相同的证书文件到Windows10客户机中,并像下面这样导入Java

keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
但当我尝试从JBoss服务器连接Keyclope时,我发现

证书中的主机名不匹配:!=

在Jboss服务器的独立文件中添加

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                <ssl name="ssl" key-alias="initcert" password="keycloak" certificate-key-file="C:\Users\user\Documents\MyFiles\New\keycloak.jks" protocol="TLSv1,SSLv3,SSLv2" verify-client="false"/>
上述命令的结果

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  initcert
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <initcert>
        (RETURN if same as keystore password):
Re-enter new password:

Alias name: initcert
Creation date: Jan 9, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=initcert, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2bb3190d
Valid from: Tue Jan 09 09:52:46 IST 2018 until: Wed Jan 09 09:52:46 IST 2019
Certificate fingerprints:
         MD5:  EF:A3:91:B8:B0:1C:61:F4:9D:9C:D6:05:37:D2:13:7D
         SHA1: 73:A1:DF:15:17:1F:0E:34:0C:44:ED:46:90:24:4E:75:F1:0E:BD:48
         SHA256: BE:5A:FE:06:97:E4:1C:55:14:E4:17:01:DD:02:76:88:44:7D:E5:39:4E:3C:5A:03:12:DD:3E:88:C1:96:9C:D2
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 57 CC B8 39 1C C9 1A   1A EE 74 72 90 99 89 8D  .W..9.....tr....
0010: 60 90 F3 A3                                        `...
]
]
确实,您必须在证书中提供服务器的正确完整限定域名(FQDN)。但是,在证书主题中设置CN实际上是不正确的,但许多实现仍然支持它。
在X.509证书中设置服务器名称(或IP地址)的正确方法是
使用者替代名称(SAN)

看见
以及更多信息。

cn应该是服务器的主机名,也可以是计算机的IP地址?否:它必须是在DNS中定义的主机名。服务器的IP地址将进入主题替代名称(SAN)字段。您的意思是问题是cn名称吗?如果您还可以添加命令,这是可能的吗?我创建了这样的证书
keytool-genkey-alias initcert-ext san=ip:135.250.138.74-keyalg RSA-keystore keydove.jks-validity 365-keysize 2048
,即使现在我也遇到了同样的问题。证书中的名称必须与请求URL中使用的主机名或ip匹配。上面您说的错误消息是“证书中的主机名不匹配:”这指的是您在证书中设置的另一个IP:san=IP:135.250.138.74谢谢您的回复,但我以前更改了服务器,我没有指向135.250.138.74现在我看到了这一点,而不是以前的异常
17:49:36943错误[org.keydepot.adapters.OAuthRequestAuthenticator](http-/0.0.0:8080-1)未能将代码转换为令牌:java.net.SocketTimeoutException:读取超时