Home >Java >javaTutorial >How Does Java Resolve Server Names in SSL Certificates?
How Does Java Resolve Server Names in SSL Certificates?
- Patricia ArquetteOriginal
- 2024-12-11 20:44:19232browse
Understanding SSL Certificate Server Name Resolution
In the realm of secure web communication, SSL certificates play a vital role in verifying the identity of servers. The server name resolution process determines how names specified in SSL certificates are used to establish trust in HTTPS connections.
How are SSL Certificate Server Names Resolved?
RFC 2818 and its successor RFC 6125 define the guidelines for server name verification. These standards specify that:
- If the certificate contains a "subjectAltName" extension with the "dNSName" type, it must be used as the identity.
- Otherwise, the Common Name (CN) field in the "Subject" section of the certificate will be utilized.
Java's SSL Certificate Verification Mechanism
Java's SSL mechanism follows the subjectAltName extension priority. If a certificate contains this extension, Java will use the specified domain name or IP address as the identity for verification. Otherwise, it will revert to using the CN field. This behavior is in accordance with the recommended best practices outlined in RFC 2818.
Alternative Name Inclusion Using Keytool
Yes, it is possible to add alternative names to an SSL certificate using keytool. Since Java 7, keytool introduced the "-ext" option, which allows you to include a Subject Alternative Name (SAN) in your certificate. You can specify the SAN as "dns:www.example.com" or "ip:10.0.0.1" based on your requirements.
OpenSSL as an Alternative
If you are not comfortable with using keytool, OpenSSL is an excellent option for generating SSL certificates with SANs. By modifying the openssl.cnf configuration file, you can specify the subjectAltName extension using the "[req]" and "[ v3_req ]" sections. Additionally, you can use the OPENSSL_CONF environment variable to provide an explicit location for the configuration file.
To resolve your issue, you need to verify that your certificates contain the correct server names. If they only include IP addresses in the CN field, browsers may accept them, but Java will not trust them due to the absence of SANs. By adding SANs to your certificates using either keytool or OpenSSL, you can ensure that both browsers and Java recognize your server names correctly.
The above is the detailed content of How Does Java Resolve Server Names in SSL Certificates?. For more information, please follow other related articles on the PHP Chinese website!