...
PKIX path building errors are by far the most common SSL errors reported on the cas-user@lists.jasig.org mailing list. The problem here is that the CAS client does not trust the certificate presented by the CAS server; most often this occurs because of using a self-signed certificate on the CAS server. To resolve this error, import the CAS server certificate into the system truststore of the CAS client. If the certificate is issued by your own PKI, it is better to import the root certificate of your PKI into the CAS client truststore. See #Import Trusted Certificate for examples of importing a trusted certificate into a Java truststore.
No subject alternative names present
| Code Block | ||
|---|---|---|
| ||
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
|
In most cases this is a hostname/SSL certificate CN mismatch. This commonly happens when a self-signed certificate issued to localhost is placed on a machine that is accessed by IP address. It should be noted that generating a certificate with an IP address for a common name, e.g. CN=192.168.1.1,OU=Middleware,dc=vt,dc=edu, will not work in most cases where the client making the connection is Java. For example the Java CAS client will throw SSL errors on connecting to a CAS server secured with a certificate containing an IP address in the CN.
Simplified Java SSL Guide
...