文章來源:https://blog.csdn.net/qq_33873431/article/details/79354148
cas註銷時地址是https,提示Error is [java.security.cert.CertificateException: No subject alternative names present]
因爲某些原因,訪問cas以及子系統希望通過ip來訪問並且要使用https協議
網上很多文章說要使用CAS單點登錄必須要配置域名, cas server是不能通過ip訪問的,這實際上是錯誤的,這和cas無關,目前可以通過java 1.7來生成證書,需要JDK1.7,因爲需要-ext參數
生成證書方式
keytool -genkey -alias cas41key -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456 -dname "CN=10.1.4.41,OU=csoa,O=csoa,L=FZ,ST=FZ,C=CN" -ext san=ip:10.1.4.41 -validity 3600 -keystore /home/nloa/bak/cas41.keystore
RFC 2818 (Section 3.1)
-
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. -
[...] -
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
jdk1.7,查閱keytool參數文檔,keytool可以使用-ext san=dns:www.example.com 或者 -ext san=ip:10.0.0.1 來包括Subject Alternative Name (SAN,主題備用名稱)