How are SSL certificate server names resolved/Can I add alternative names using keytool?

How host name verification should be done is defined in RFC 6125 which is quite recent and generalises the practice to all protocols, and replaces RFC 2818 which was specific to HTTPS. (I'm not even sure Java 7 uses RFC 6125, which might be too recent for this. ).

How host name verification should be done is defined in RFC 6125, which is quite recent and generalises the practice to all protocols, and replaces RFC 2818, which was specific to HTTPS. (I'm not even sure Java 7 uses RFC 6125, which might be too recent for this. ) From RFC 2818 (Section 3.1): If a subjectAltName extension of type dNSName is present, that MUST be used as the identity.

Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. ... In some cases, the URI is specified as an IP address rather than a hostname.In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Essentially, the specific problem you have comes from the fact that you're using IP addresses in your CN and not a host name. Some browsers might work because not all tools follow this specification strictly, in particular because "most specific" in RFC 2818 isn't clearly defined (see discussions in RFC 6215). If you're using keytool, as of Java 7, keytool has an option to include a Subject Alternative Name (see the table in the documentation for -ext): you could use -ext san=dns:www.example.com or -ext san=ip:10.0.0.1.

EDIT: You can request a SAN in OpenSSL by changing openssl. Cnf (it will pick the copy in the current directory if you don't want to edit the global configuration, as far as I remember, or you can choose an explicit location using the OPENSSL_CONF environment variable). Set the following options (find the appropriate sections within brackets first): req req_extensions = v3_req v3_req subjectAltName=IP:10.0.0.1 # or subjectAltName=DNS:www.example.com There's also a nice trick to use an environment variable for this (rather in than fixing it in a configuration file) here: http://www.crsr.net/Notes/SSL.html.

This is exactly what I needed to know... however, it seems Java 6 does not have this -ext option. I will try to change my VM to Java 7 and test this. – Renato Dec 9 at 13:48 Note that you can use keytool from Java 7 on a different machine and copy the keystore across later (you don't have to be running Java 7).

Alternatively, I've edited my answer for doing it with OpenSSL. This being said, you might find it more flexible to use host names instead of IP addresses in the long run (using SANs is a good idea anyway). – Bruno Dec 9 at 14:00 The -ext option does not work in Java6!

I will switch to Java 7 and see if I can do it just using keytool... Thanks very much for the answer.. (PS. Will accept the answer once I've tested it) – Renato Dec 9 at 14:03 Ok... but I can't use host names because the servers are "dynamic" (they are booted and used on-demand)... Not sure if that would even be possible.... even their IP addresses I believe I will only be able to find during run time. – Renato Dec 9 at 14:06 The fact that you're using IP addresses in your certs is going to be even more a problem in this case.

Potentially changing IP addresses is what DNS is for. You have a better chance of solving your problem by using a dynamic DNS service and using certs with that name (or any CNAME that would resolve to that dynamic name). – Bruno Dec 9 at 14:11.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.