本文介绍如何通过IP地址实现CAS单点登录系统的HTTPS访问,并解决因缺少Subject Alternative Name而导致的CertificateException错误。文中提供了使用Java 1.7及keytool生成包含特定IP地址的证书的具体步骤。
cas注销时地址是https,提示Error is [java.security.cert.CertificateException: No subject alternative names present]
因为某些原因,访问cas以及子系统希望通过ip来访问并且要使用https协议
网上很多文章说要使用CAS单点登录必须要配置域名, cas server是不能通过ip访问的,这实际上是错误的,这和cas无关,目前可以通过java 1.7来生成证书,需要JDK1.7,因为需要-ext参数
生成证书方式
keytool -genkey -alias cas41key -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456 -dname "CN=10.1.4.41,OU=csoa,O=csoa,L=FZ,ST=FZ,C=CN" -ext san=ip:10.1.4.41 -validity 3600 -keystore /home/nloa/bak/cas41.keystoreRFC 2818 (Section 3.1)
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
[...]
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.jdk1.7,查阅keytool参数文档,keytool可以使用-ext san=dns:www.example.com 或者 -ext san=ip:10.0.0.1 来包括Subject Alternative Name (SAN,主题备用名称)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
