I've seen that there are similar questions, but none give a perfect answer to me. I'm trying to set up two machines. One with LAMP and a platform (that works great) and it also handles the user db through LDAP.

On the other machine there is a portal (Liferay) and CAS should log me in to both the machine with the platform as well as the portal, using SSO.

Since this is a small testing environment that will not be put into production I've decided to use a self-signed certificate bound to an IP-address.

This does not work well for me. If I create a certificate.

keytool -genkey -alias certificate -keypass changeit -keyalg RSA
keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%
keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

I realize this doesn't work, and why so I found the command

-ext san=ip:

However, this does not seem to work either. In what step do i add the -ext part. Is it during the creation of the certificate or is it while exporting it to cacerts?

1 Answers1


You should add the -ext san=ip: while creating the certificate. Because, it's when you generate it that it will keep the SAN IP in the certificate details.

Best Regards,