Recently I faced with an issue with a wildcard(*) in Common Name(CN) in SSL certificate. Invoking a SOAP end point over SSL through a standalone java web services client was complaining with an error “the https URL hostname does not match the Common Name (CN) on the server certificate in the client’s truststore.”
WildCard SSL certificates
Wildcard SSL certificates secure a website and an unlimited number of its first level subdomains. A SSL certificate with CN=*.mycompany.com is called a WildCard certificate. This wildcard SSL certificate would protect a.mycompany.com, b.mycompany.com, c.mycompany.com and so on and so forth. But this certificate will not work if the certificate is used for second, third and other sublevel domains, unless the sublevel domains are added in Subject Alternate Name(SAN) in the certificate.
A SSL certificate which has CN=*.mycompany.com will not work for “blog.subdomain.mycompany.com”, unless “blog.subdomain.mycompany.com” is added in Subject Alternate Name (SAN).
Below describes the environment where I encountered the issue and also the solution for the issue:
A Dynamic Invocation Interface (DII) web service java client invoking .NET SOAP web service. The DII web service java client is a standalone java application running on JRE 7.
The Fully Qualified Domain Name(FQDN) in SOAP end point click here.
Issue The way the SSL certificate was setup.
A new certificate was setup by adding “hostname.subdomain.mycompany.com(FQDN)” in Subject Alternate Name(SAN). Below is how the new certificate was setup which resolved the issue.
New Certificate Setup