Table of Contents
How to fix javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
In this article, we will focus on how to resolve the SSLHandshakeException and possible cause behind it. If you are getting below error, let’s find out how to resolve it.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names presentat sun.security.ssl.Alerts.getSSLException(Alerts.java:192)at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
Cause of error
The reason, we get above error is that CN(Common name) defined in your certificate is not matching with the domain the application is running on.
For e.g, In your certificate, the CN name is defined as www.example.com but you may be running the application say a URL which is like http://localhost:8080/api
How to fix the above error
There are 2 easy ways to fix the above error
Use this Command to check what is the CN name defined in your certificate
keytool -printcert -v -file certifcate.crt
#Where certificate.crt is the name of your certificate
You should get some response like this
Owner: EMAILADDRESSemail@example.com, CN=www.mydomain.com, OU=organisation, O=my group, L=edinburgh, ST=edinburgh, C=gb
Issuer: EMAILADDRESSfirstname.lastname@example.org, CN=www.mydomain.comm, OU=organisation, O= my group, L=edinburgh, ST=edinburgh, C=gb
Serial number: dcc3d4ffe7a016f2
Valid from: Tue Jun 26 12:41:05 BST 2018 until: Wed Jun 26 12:41:05 BST 2019
Signature algorithm name: SHA256withRSA
Pay close attention to the first line in above output CN=www.mydomain.com, if you are running the application from the above domain, you should not encounter the above error.
So to fix the above error simply use one of the below approaches
- Run the application on the same ‘CN’, as defined in your certificates.
- Along with CN name you can add Subject alt names in your certificate, which is like adding more than one domain in the certificate. Link below describes the process of adding multiple domains(subject-alt-name) to jks file and also to a certificate.