How Does SSL Certificate Server Name Resolution Work, and How Can I Add Alternative Names?

Understanding SSL Certificate Server Name Resolution

SSL certificate server name resolution plays a crucial role in ensuring secure communication in HTTPS connections. Here's a detailed breakdown of how it works and how to address alternative names using keytool:

How SSL Certificate Server Names Are Resolved

When a client establishes an HTTPS connection, it sends a Server Name Indication (SNI) extension to the server, specifying the hostname it intends to connect to. The server then presents an SSL certificate that matches the provided hostname, either through the Common Name (CN) field or Subject Alternative Name (SAN) extension.

Browser Behavior and Java's Verification Mechanism

Browsers typically use the CN field of the certificate for hostname verification. However, Java's verification mechanism primarily considers the SAN extension and may reject certificates without valid SANs. This discrepancy arises from the aforementioned RFCs that define hostname verification standards.

Adding Alternative Names Using Keytool

keytool, in Java 7 and later, allows you to add SANs to SSL certificates using the -ext option. The syntax for SANs is -ext san=dns:www.example.com or -ext san=ip:10.0.0.1.

OpenSSL as an Alternative

OpenSSL can also be used to request SANs. In the openssl.cnf configuration file, add the following options:

[req]
req_extensions = v3_req

[ v3_req ]
subjectAltName=IP:10.0.0.1
# or subjectAltName=DNS:www.example.com

You can also set environment variables to specify SANs at runtime. Refer to the CRSR.net article for further details.

The above is the detailed content of How Does SSL Certificate Server Name Resolution Work, and How Can I Add Alternative Names?. For more information, please follow other related articles on the PHP Chinese website!