2

When filling out a request for a SSL Certificate, can the IP address be used for the "Common Name"?

update: We have a new production box that doesn't have a public domain name. Just a public IP. But we need to request a SSL certificate. I'm working on the domain name, but in the meantime, if I can push through a cert request with just the public IP, then I can keep something moving.

もしもし
  • 125
  • Could you elaborate why you want to do that? – Jim G. Apr 30 '13 at 17:58
  • @JimG. Updated to explain. As far as I know, that box doesn't have a public domain name to enter in the request. Just a public IP. – もしもし Apr 30 '13 at 18:34
  • You should wait for the certificate issued for your domain and signed by a CA. Meantime, you can use a self signed certificate, but this is not recommended from the security point of view. – Mircea Vutcovici Apr 30 '13 at 19:04

3 Answers3

3

According to: RFC6125 , yes, it is possible. However the SSL client might not be fully compliant and you have to test all your supported SSL clients to see how they are performing the certificate validation.

"The client determines the type (e.g., DNS name or IP address) of the reference identity and performs a comparison between the reference
identity and each subjectAltName value of the corresponding type
until a match is produced. Once a match is produced, the server's
identity has been verified, and the server identity check is
complete. Different subjectAltName types are matched in different
ways. Sections 3.1.3.1 - 3.1.3.3 explain how to compare values of
various subjectAltName types. "

.

"3.1.3.2. Comparison of IP Addresses

When the reference identity is an IP address, the identity MUST be converted to the "network byte order" octet string representation
[IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
string will contain exactly four octets. For IP Version 6, as
specified in RFC 2460, the octet string will contain exactly sixteen
octets. This octet string is then compared against subjectAltName
values of type iPAddress. A match occurs if the reference identity
octet string and value octet strings are identical."

.

" o Identifiers other than fully qualified DNS domain names.

  Some certification authorities issue server certificates based on
  IP addresses, but preliminary evidence indicates that such
  certificates are a very small percentage (less than 1%) of issued
  certificates.  Furthermore, IP addresses are not necessarily
  reliable identifiers for application services because of the
  existence of private internets [PRIVATE], host mobility, multiple
  interfaces on a given host, Network Address Translators (NATs)
  resulting in different addresses for a host from different
  locations on the network, the practice of grouping many hosts
  together behind a single IP address, etc.  Most fundamentally,
  most users find DNS domain names much easier to work with than IP
  addresses, which is why the domain name system was designed in the
  first place.  We prefer to define best practices for the much more
  common use case and not to complicate the rules in this
  specification. "

See also: https://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using

Community
  • 1
Mircea Vutcovici
  • 18,319
0

It depends on the CA. I know that the Comodo InstantSSL will allow a ip address. It is a business validated SSL Certificate.

RunSSL
  • 54
-1

You can get SSL for public IP from Zero SSL. They even provide the trial period for 30 days. You can create 3 certificates for free. Also they have self explanatory documentation for easy integration. Once you are able to generate and use SSL, you can buy it later.

As you need to use it for IIS, you will need .pfx format certificate, that you can create by using openssl from the certificates you get from zero ssl. Check this link from generating .pfx for IIS.

Note: I am not affiliated with ZeroSSL in any way. I have used SSL certificate from ZeroSSL for the exact situation mentioned in the question.

tripleee
  • 1,483
jatz2012
  • 1
  • Why does this feel like spam? – vidarlo May 29 '23 at 12:05
  • Its not a spam. I am not anywhere associated to zeroSSL. I have used it at my workplace for creating SSL for web-apps I create. Also there are not much CAs that provide SSL on Public IP. So it will be use full for someone who is looking for the SSL for public IP. Check out my own question on SSL for clarification of you doubt. @vidarlo Requesting you to remove downvote. – jatz2012 May 29 '23 at 12:20
  • Hi, please edit to state you are not affiliated with zerossl, as is, your answer is really wrote like other spam we got on the site. If the product if free, then your answer can be ok, but if paid it's borderline to be removed. Thanks ! – yagmoth555 May 29 '23 at 12:43
  • As the answer from 10 years ago indicates, it is technically possible. But almost no-one engages in this unorthodox practice, in particular the larger authorities. – Greg Askew May 29 '23 at 13:25
  • @yagmoth555 it is giving trial period to try it out. that can at least give some time to get clarification on how SSL certificates resolves / works. Just as in my case, we had to get SSL for public IP only. There are other free providers also like let's Encrypt, that is widely used. But only a few provides SSL on public IP. – jatz2012 May 30 '23 at 12:00
  • @GregAskew very true, it exposes your IP, so as I learned in last few months is getting SSL on public IP is not a good idea. But in some cases if it is required, we can get it. I just shared what I knew, which may help someone. As question may be old, but someone like me need the same even today. – jatz2012 May 30 '23 at 12:03