Hi Ognjen, Reading the pdf link you provided it seems that I should use ip based certificates and for each different ip which needs certificate I will have to request one.
I should use -ext san=ip:$ip instead of -ext san=dns:$host. Then CA will not drop the details. Regards, Miten. On Fri, Jan 17, 2014 at 7:30 PM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Miten, > > > On 17.1.2014 14:33, Miten Mehta wrote: > >> The catalina.out complaines with SSL handshake stating No Name matching >> mhoodws.ril.local found. >> > > For security reasons, CA shouldn't sign any certificate containing > internal server name (either as CN, or subjectAltName): > > "As of July 1, 2012, all CAs were required to notify customers applying > for internal name certificates that the use of such certificates has been > deprecated by the CA / Browser Forum and that the practice will be > eliminated by October 2016." > > https://cabforum.org/internal-names/ > > So, I guess your CA removed subjectAltName while signing the certificate, > and also missed to notify you about the removal. > > -Ognjen > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
