Javax.Net.Ssl.Sslexception: Certificate Doesn't Match Any of the Subject Alternative Names

Certificate for <localhost> doesn't match any of the subject alternative names

You need to provide localhost as a subject alternative name when creating your certificate. You can do that by provide the following additional parameter: -ext "SAN:c=DNS:localhost,IP:127.0.0.1"

So something like this:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias stackoverflow -dname "CN=stackoverflow,OU=Hakan,O=Hakan,C=NL" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore identity.jks -storepass secret -keypass secret -deststoretype pkcs12

Some explanation:

The SAN field will be used to match the hostname which will be provided in the request. So when you are running your application on localhost, lets say https://localhost:443 and you also want to make a request to that specific host than that hostname should also be available within the SAN field or else it will fail during the handshake process.

Let's grab Stackoverflow as an example. To be able to reach stackoverflow over https we would expect that the certificate should contain at least an entry of stackoverflow.com

Below is the certificate SAN value of stackoverflow with the specific DNS highlighted for this example:

As you can see already it contains also other dns values. In this way websites owners can use the same certificate for multiple websites/subdomains etc.

javax.net.ssl.SSLException: Certificate for <> doesn't match any of the subject alternative names: []

This issue is because of,our company configured new servers ,but did not included DNS in server cert.So my company include server names in cert.Now it is working.

Need help in identifying and fixing SSLPeerUnverifiedException

This is a problem with the server certificate, or the DNS mapping, not your code. The server name you connected to is not present in the SSL certificate it presented.

You should not look for insecure workarounds like null HTTPS hostname verifiers.

---

Related Topics