Possible Duplicate:
How are SSL certificate server names resolved/Can I add alternative names using keytool?
I created a certificate and set the CN to the IP address of my server which is in xxx.xxx.xxx.xxx format. But when I try to run my code in Java, I’m getting a HTTPS hostname wrong: should be <xxx.xxx.xxx.xx> error message.
What could be wrong? I’m sure that I’m connecting to the correct IP address. However, I did not specify the port of the server on the certificate. Is the port required when supplying the value for CN? But I’m using the default port for https which is 8443. Also, I tried changing my CN from the IP address of my server to “localhost”. It works after that. I’m thinking if the CN part does not accept an IP address as value?
Can you please explain how the CN works and what are the required value for it?
Thanks!
The identity you need to put in the certificate needs to be the one you’re looking for via the URL. For example, if you’re using
https://www.example.net, your certificate needs to be valid forwww.example.net; if you’re usinghttps://10.0.0.1/, your certificate needs to be valid for10.0.0.1.The Common Name RDN in the Subject DN of the certificate is normally only used when (a) there is no Subject Alternative Name DNS entry and (b) it’s looking for a host name, not an IP address. This is defined in RFC 2818 Section 3.1:
In general, using IP address in certificates is not recommended (see problems mentioned in RFC 6125. However, if you really need to, you’ll need a certificate with the IP address is a SAN entry of IP address type, which you can generate as described in this answer.