0

I am building a JAX-WS client that connects to a server which uses selfsigned certificates with a wildcard character in the CN. The subject filed of the certificates looks like: 

"CN=*.mylocation.mycompany.corp, O=MyCompany, C=MyCountry"

Because there are selfsigned certificates on the server side my JAX-WS client works only with am explicit trust manager that accepts all certificates. Such as one described in this answer.

I keep coming across statements such as "Sun's JSSE doesn't support wildcard", for example in the answer to Can Java connect to wildcard ssl.

I cannot find any official documentation from oracle about self-signed/wildcard certificates certificates being blocked or to support the statements such as the one above.

Is this true? Is there any official documentation about this?

Community
  • 1
  • 1
agenthost
  • 698
  • 1
  • 8
  • 22

1 Answers1

0

There appear to be two StackOverflow answers that hone in on your question:

  1. telling java to accept self-signed ssl certificate
  2. How can I use different certificates on specific connections?
Community
  • 1
  • 1
Keith
  • 2,884
  • 2
  • 16
  • 23
  • Thanks, I've exactly done the same thing in my code as the answers in those questions. But all I am looking for is some kind of official documentation from oracle that says self-signed certificates and wildcard certificates are blocked by deault in Java – agenthost Aug 31 '15 at 14:50
  • Regarding self-signed there is no need for official documentation: Java validates a certificate and a self-signed certificate can not be verified since there is no trusted issuer for this certificate in the key store. Thus self-signed certificates get not blocked but simply the validation fails. If you would import the certificate in the key store it should work. – Steffen Ullrich Aug 31 '15 at 15:16
  • Even if you import the certificate in keystore you still need to set an explicit trust manager programatically, that accepts all certificates. Am I right? – agenthost Sep 01 '15 at 08:27
  • no, once you have imported the certificate into cacerts ( jre/lib/security/cacerts ) - you dont need to set up trust managers programatically, yet you have to set up CN property pointing to host (or add SAN extensions to allow host/ips) otherwise you gonna get hostname verification exceptions. – comeGetSome Mar 04 '16 at 11:35