How Does Java Verify SSL Certificate Server Names and What Are the Troubleshooting Steps?

Resolving SSL Certificate Server Names

SSL certificates play a crucial role in establishing secure connections, but understanding how server names are resolved is essential.

How SSL Certificate Server Names Are Resolved

According to RFC 6125, the process of verifying host names for SSL certificates involves checking the following fields:

1. Subject Alternative Name (SAN): If present, the SAN field takes precedence and contains the valid server names.
2. Common Name (CN): If no SAN field is available, the CN field is used. However, this practice is deprecated.

Java's Hostname Verification

In Java, hostname verification for SSL certificates typically follows the guidelines outlined in RFC 2818. This means that:

• If the certificate includes a SAN field, Java will verify the hostname against the specified values.
• If no SAN field is present, Java will check the CN field for a valid hostname.

Using Keytool to Add Alternative Names

• In Java 7 or later, keytool provides the option to specify Subject Alternative Names (SANs) when generating SSL certificates. Using the -ext parameter with san=dns: or san=ip: will include the desired alternative names in the certificate.

OpenSSL as an Alternative

• If keytool does not meet your needs, OpenSSL can be used to generate self-signed certificates with SANs. By modifying the openssl.cnf configuration file or setting environment variables, you can specify the alternative names to include in the certificate.

Troubleshooting Hostname Verification Errors

If Java is not trusting SSL certificates, despite being added to the trust store, the following steps can help:

• Ensure that the SAN field or CN field in the certificate matches the hostname of the server you are trying to connect to.
• Verify that the certificate authority (CA) that issued the certificate is trusted by Java.
• Consider using a custom HostnameVerifier to override Java's default hostname verification behavior.

The above is the detailed content of How Does Java Verify SSL Certificate Server Names and What Are the Troubleshooting Steps?. For more information, please follow other related articles on the PHP Chinese website!