It's not a secret anymore!
The moose likes General Computing and the fly likes Correct CN for the SSL Certificate for HTTPS Configuration Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » General Computing
Bookmark "Correct CN for the SSL Certificate for HTTPS Configuration" Watch "Correct CN for the SSL Certificate for HTTPS Configuration" New topic

Correct CN for the SSL Certificate for HTTPS Configuration

Amy N. Snow

Joined: Apr 09, 2008
Posts: 20
I don't know if this is the correct forum to ask if someone thinks I should post in another forum let me know.

I'm using Weblogic 10.3 and in the development environment I have configured the HTTPS with a certificate issued to the FQDN of the host in the internal network, that is my certificate CN is hostname.organzation-name.local. For development purposes this is perfect and from the internal network we can use the website without problems.

No I'll have to configure the HTTPS for the Production server that is access from the Internet. I think the network people have a NAT Firewall. I'm not sure what they're using, but I'm almost sure it is not a HTTP Web Server in front of the Application Server and the external users access the application with an external IP. If I ask for a certificate issued to the internal FQDN or internal IP and install it in Weblogic the internal applications would be able to verify the identity of my server, but when a user connects using the web browser he/she will receive an error from the browser that the certificate does not match the address entered.

What should I do to prevent this? Should I request a certificate alternate subjects and include the external IP as an alternate subject or should I have different certificates? If I need to have different certificates how would I configure this in Weblogic?

Deepak Bala

Joined: Feb 24, 2006
Posts: 6662

If the clients are external, what prevents your organization (org) from associating a domain name / CNAME to the IP in question ? You can then create a self signed certificate bound to that domain name.

The certificate will be invalid to begin with since it is self signed. If it is not self signed no warning will be displayed.

[EDIT] You may also want to ask your org if the certificate will be installed on a web server / application server. That will give you an idea on which paths of the traffic are encrypted.

PS: I will move this to "general computing" for you

SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
It is sorta covered in the JavaRanch Style Guide.
subject: Correct CN for the SSL Certificate for HTTPS Configuration
It's not a secret anymore!