{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 戒情不戒烟 的问题《No subject alternative names present exception whe》','https://www.manongdao.com/q-708185.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to create a web service client using wsdl2java utility. I have to connect to this server over SSL
This wsdl looks like this:
https://xxx.xx.xx.xx:8443/api/wsdl/xxxxxxx.wsdl
I generated the certificate using:
openssl s_client -connect xxx.xx.xx.x:8443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > abcCertificate.pem
and added it to keystore using:
keytool -import -noprompt -trustcacerts -alias testcert -file abcCertificate.pem -keystore /usr/java/jdk1.7.0_06/jre/lib/security/cacerts -ext san=ip:xxx.xx.xx.xx
When I try to use wsdl2java to create the web service client, it throws exception:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
I use these information from this link.
You seem to be confused between "importing" and "generating" the certificate.
You
openssl s_clientcommand doesn't generate the certificate, it retrieves the certificate in use on that server.The
keytool -importcommand you use afterwards imports that certificate, as it is, into your truststore. There is no point using-ext san=ip:xxx.xx.xx.xxthere: you're not generating the certificate, you're only importing it.If you're in control of that server, you should generate (or get a certificate from somewhere else) with an IP address SAN (since Java follows the specification strictly on this).
If you're not in control of that server, use its host name (provided that there is at least a CN matching that host name in the existing cert).
In general, it's not great to import directly a certificate obtained solely from a server like this into your trust store, since you're assuming that that particular connection wasn't tampered with.