On z/OS the default self signed certificate created by the server has invalid CN and SAN.
I am using Liberty on z/OS (as part of zoS connect)
I created an instance and this creates a certificate for me. When I use this from my web browser the web browser complains.
The certificate has cn = localhost, organisation ibm, ou d3 ( my server name)
The Subject Alternative Name is "local host".
The browser expects the Subject Alternative Name (SAN) to match the IP address it came from (10.1.3.10) - not "local host".
I also have a VIPA set up.
The certificate should have the CN and SAN of what I specified in the host.. 10.1.3.10 - not "local host". In my browser I can accept this - "Proceed to10.1.3.10 (unsafe)" but that gets round the problem - not fixing it. If host is "*" then it should use the default IP address of the TCPIP Image being used (in my case 10.1.1.2)
If host can have more than one value - then the SAN needs to have all values. The SAN should have the IP:10.3.110 - as well as any name. Using OPENSSL I would use DNS:winmvs3.hursley,ibm.com and IP:9.20.4.7 -and have both in the SAN.
I worked round this by creating my own certificate, and was curious to know if there is an official solution to this, as it took me a couple of hours to fix this.
------------------------------
Colin Paice
------------------------------