Can an IP Address be used as the FQDN when requesting a SSL Certificate?

When filling out a request for a SSL Certificate, can the IP address be used for the "Common Name"?

update: We have a new production box that doesn't have a public domain name. Just a public IP. But we need to request a SSL certificate. I'm working on the domain name, but in the meantime, if I can push through a cert request with just the public IP, then I can keep something moving.


Solution 1:

According to: RFC6125 , yes, it is possible. However the SSL client might not be fully compliant and you have to test all your supported SSL clients to see how they are performing the certificate validation.

"The client determines the type (e.g., DNS name or IP address) of the reference identity and performs a comparison between the reference
identity and each subjectAltName value of the corresponding type
until a match is produced. Once a match is produced, the server's
identity has been verified, and the server identity check is
complete. Different subjectAltName types are matched in different
ways. Sections 3.1.3.1 - 3.1.3.3 explain how to compare values of
various subjectAltName types. "

.

"3.1.3.2. Comparison of IP Addresses

When the reference identity is an IP address, the identity MUST be converted to the "network byte order" octet string representation
[IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
string will contain exactly four octets. For IP Version 6, as
specified in RFC 2460, the octet string will contain exactly sixteen
octets. This octet string is then compared against subjectAltName
values of type iPAddress. A match occurs if the reference identity
octet string and value octet strings are identical."

.

" o Identifiers other than fully qualified DNS domain names.

  Some certification authorities issue server certificates based on
  IP addresses, but preliminary evidence indicates that such
  certificates are a very small percentage (less than 1%) of issued
  certificates.  Furthermore, IP addresses are not necessarily
  reliable identifiers for application services because of the
  existence of private internets [PRIVATE], host mobility, multiple
  interfaces on a given host, Network Address Translators (NATs)
  resulting in different addresses for a host from different
  locations on the network, the practice of grouping many hosts
  together behind a single IP address, etc.  Most fundamentally,
  most users find DNS domain names much easier to work with than IP
  addresses, which is why the domain name system was designed in the
  first place.  We prefer to define best practices for the much more
  common use case and not to complicate the rules in this
  specification. "

See also: https://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using