1.创建密钥库
keytool -genkey -alias tomcat -keyalg RSA -keypass tomcat -storepass tomcat -keystore server.keystore -validity 3650 -dname "CN=cas.example.org,OU=csoa,O=csoa,L=FZ,ST=FZ,C=CN" -ext san=dns:cas.example.org,ip:192.168.1.220
2.导出证书文件供客户端(浏览器、JAVA客户端)使用
keytool -export -trustcacerts -alias tomcat -file server.cer -keystore server.keystore -storepass tomcat
3.客户端导入证书
- 客户端若为浏览器
双击第2步生成的server.cer,安装即可! - 客户端若为JAVA程序
客户端jdk使用keytool命令将服务端提供的server.cer证书导入到cacerts信赖库。
keytool -import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file ./server.cer -storepass changeit
4.期间遇到的错误
(1) JAVA客户端导入证书后无效
可能原因:系统存在多个jdk版本,导入目标位置("%JAVA_HOME%/jre/lib/security/cacerts")是否为正在使用的jdk目录,此类问题多见于开发工具。
(2) Subject Alternative names未设定
错误:
浏览器提示:
此服务器无法证实它就是 cas.example.org - 它的安全证书没有指定主题备用名称。这可能是因为某项配置有误或某个攻击者拦截了您的连接。
java端提示:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
2020-11-25 10:06:38,102 ERROR [org.jasig.cas.client.util.CommonUtils] - <java.security.cert.CertificateException: No subject alternative names present>
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367) ~[na:1.8.0_271]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) ~[na:1.8.0_271]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:1.8.0_271]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:1.8.0_271]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) ~[na:1.8.0_271]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587) ~[na:1.8.0_271]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_271]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_271]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_271]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) ~[na:1.8.0_271]
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:311) [cas-client-core-3.1.12.jar:na]
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:291) [cas-client-core-3.1.12.jar:na]
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:32) [cas-client-core-3.1.12.jar:na]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:187) [cas-client-core-3.1.12.jar:na]
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) [spring-security-cas-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) [spring-security-cas-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) [spring-security-core-3.2.0.RC1.jar:3.2.0.RC1]
at com.ustcinfo.tpc.framework.core.spring.security.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:168) [usi-upp-core-2.0.0.RELEASE.jar:na]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:65) [cas-client-core-3.1.12.jar:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:152) [spring-orm-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at com.ustcinfo.tpc.framework.core.web.HttpAcceptCookieFilter.doFilter(HttpAcceptCookieFilter.java:35) [usi-upp-core-2.0.0.RELEASE.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at com.ustcinfo.datacage.web.filter.UeditorFilter.doFilter(UeditorFilter.java:35) [classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) [catalina.jar:7.0.106]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165) [catalina.jar:7.0.106]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) [catalina.jar:7.0.106]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.106]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452) [catalina.jar:7.0.106]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201) [tomcat-coyote.jar:7.0.106]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654) [tomcat-coyote.jar:7.0.106]
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317) [tomcat-coyote.jar:7.0.106]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_271]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_271]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.106]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_271]
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:150) ~[na:1.8.0_271]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:99) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:228) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636) ~[na:1.8.0_271]
... 67 common frames omitted
2020-11-25 10:13:15,797 ERROR [org.jasig.cas.client.util.CommonUtils] - <java.security.cert.CertificateException: No subject alternative names present>
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367) ~[na:1.8.0_271]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) ~[na:1.8.0_271]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:1.8.0_271]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:1.8.0_271]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:1.8.0_271]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) ~[na:1.8.0_271]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) ~[na:1.8.0_271]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587) ~[na:1.8.0_271]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_271]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_271]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_271]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) ~[na:1.8.0_271]
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:311) [cas-client-core-3.1.12.jar:na]
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:291) [cas-client-core-3.1.12.jar:na]
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:32) [cas-client-core-3.1.12.jar:na]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:187) [cas-client-core-3.1.12.jar:na]
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) [spring-security-cas-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) [spring-security-cas-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) [spring-security-core-3.2.0.RC1.jar:3.2.0.RC1]
at com.ustcinfo.tpc.framework.core.spring.security.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:168) [usi-upp-core-2.0.0.RELEASE.jar:na]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:65) [cas-client-core-3.1.12.jar:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.0.RC1.jar:3.2.0.RC1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:152) [spring-orm-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at com.ustcinfo.tpc.framework.core.web.HttpAcceptCookieFilter.doFilter(HttpAcceptCookieFilter.java:35) [usi-upp-core-2.0.0.RELEASE.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at com.ustcinfo.datacage.web.filter.UeditorFilter.doFilter(UeditorFilter.java:35) [classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.106]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) [catalina.jar:7.0.106]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165) [catalina.jar:7.0.106]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) [catalina.jar:7.0.106]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025) [catalina.jar:7.0.106]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.106]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452) [catalina.jar:7.0.106]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201) [tomcat-coyote.jar:7.0.106]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654) [tomcat-coyote.jar:7.0.106]
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:319) [tomcat-coyote.jar:7.0.106]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_271]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_271]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.106]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_271]
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:150) ~[na:1.8.0_271]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:99) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:228) ~[na:1.8.0_271]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) ~[na:1.8.0_271]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636) ~[na:1.8.0_271]
... 67 common frames omitted
解决办法:
第1步创建密钥库时,增加额外信息 -ext san=dns:cas.example.org,ip:192.168.1.220
keytool -genkey -alias tomcat -keyalg RSA -keypass tomcat -storepass tomcat -keystore server.keystore -validity 3650
改为:
keytool -genkey -alias tomcat -keyalg RSA -keypass tomcat -storepass tomcat -keystore server.keystore -validity 3650 -dname "CN=cas.example.org,OU=csoa,O=csoa,L=FZ,ST=FZ,C=CN" -ext san=dns:cas.example.org,ip:192.168.1.220