Question
The Error :
javax.net.ssl.SSLException: Certificate for <localhost> doesn't match any of the subject alternative names: [xxxxxxx.xxx.xxxxxx.xxx]
I have a Spring Boot App running in my localhost. I also have a tunnel ssh
via putty to a server.
Things I have done:
- I manually created/imported keys/certificates of all ways.
- I used -ext from keytool to add the dns addr and the localhost to SAN.
- I also used a openSource java file to install the cert.
- I changed the hosts files to: 127.0.0.1 xxx.xxx.xxxxxxx.xxx (if I ping the dns name it responds to the localhost address)
- I used the VM Arguments -Djavax.net.debug=ssl to check if the certs are loading properly.
What am I missing? BTW, I'm also using a VPN.
Answer
You need to provide localhost as a subject alternative name when creating your
certificate. You can do that by provide the following additional parameter:
-ext "SAN:c=DNS:localhost,IP:127.0.0.1"
So something like this:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias stackoverflow \
-dname "CN=stackoverflow,OU=Hakan,O=Hakan,C=NL" \
-ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 \
-storepass <password> -keypass <password> \
-keystore identity.jks -deststoretype pkcs12
Some explanation:
The SAN field will be used to match the hostname, which will be provided in
the request. So when you are running your application on localhost, lets say
https://localhost:443, and you also want to make a request to that specific
host, then that hostname should also be available within the SAN field;
otherwise, it will fail during the handshake process.
Let's grab Stackoverflow as an example. To be able to reach stackoverflow over
https we would expect that the certificate should contain at least an entry of
stackoverflow.com
Below is the certificate SAN value of stackoverflow with the specific DNS
highlighted for this example: 
As you can see already it contains also other DNS values. In this way websites owners can use the same certificate for multiple websites/subdomains etc.
