1

I am trying to test SSL with a spring boot app running on my personal computer. I generated a PKCS12 certificate using keytool with the following parameters.

CN = localhost:8080
OU = localhost:8080
O = localhost:8080
L = Galle
S = Galle
C = LK

I configured my app to use this certificate and installed this self signed certificate in to my chrome browser.

enter image description here

When I attempt to access my API endpoint (https://localhost:8080/api/meta/divisions) using the chrome extension Advanced REST client, I am receiving an error saying 

Certificate is invalid for given domain
Certificate presented to the app has different CN (common name) than the domain of the request.

What is the reason for this error, how can I fox this?

Chamila Wijayarathna
  • 1,815
  • 5
  • 30
  • 54
  • 1
    A `CN` should only be a name, not port there. You also need to fill the "SAN" extension with the same name, otherwise browsers will/may not accept it. This article may help: https://letsencrypt.org/docs/certificates-for-localhost/ – Patrick Mevzek Jun 05 '20 at 17:00

2 Answers2

0

This was fixed when using 127.0.0.1 as CN and filling a SAN extension when generating the self signed certificate.

Chamila Wijayarathna
  • 1,815
  • 5
  • 30
  • 54
0

I tried to reproduce the same behaviour and initially my chrome also blocked the page. It looks like google is not allowing localhost:8080 as CN name.

If you try the following command:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=abcd,OU=efgh,O=ijkl,C=Galle" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore identity.jks -storepass secret -keypass secret -deststoretype pkcs12

Add the following spring properties to your application with your own values:

server:
  port: 8443
  ssl:
    enabled: true
    key-store: classpath:identity.jks
    key-password: secret
    key-store-password: secret

Export the certificate from the keystore and added to your machine or chrome and it should work. To extract the certificate you can use the following command:

keytool -exportcert -keystore identity.jks -storepass secret -alias server -rfc -file server.cer

Could you retry it with the steps above?

Hakan54
  • 3,121
  • 1
  • 23
  • 37
  • 1
    1) Chrome uses the SAN and not the CN 2) In both cases (either SAN or CN) you should use just an hostname, you are not allowed to put a port there – Patrick Mevzek Jun 05 '20 at 21:59
  • I am aware that it indeed is using the SAN field. The request url should match the SAN field or else it will for sure fail. CN can be any given name and doesn't reflect the url which will be used. But I am not aware that Chrome doesn't allow the port. Do you have reference to that rule somewhere? Just out of curiosity – Hakan54 Jun 05 '20 at 22:08
  • 1
    You are mixing two things. You can ONLY put names (not port) in CN and SAN. This is defined by X.509 and has nothing to do with Chrome or any specific browser. The matching has to be done on the name, it is not an URL. Then for the CN vs SAN and what browsers are doing, please see https://www.chromestatus.com/feature/4981025180483584 for Chrome – Patrick Mevzek Jun 05 '20 at 22:11
  • Yes, you are right! I was indeed mixing up these things. I retested it by changing cn name from localhost:8080 to something else such as `abcd` and kept the SAN field as is. And kept the chrome configuration as is and it worked instantly, so no adjustments required to chrome. I will update my answer, Thank you @PatrickMevzek – Hakan54 Jun 05 '20 at 22:34