Can an IP Address be used as the FQDN when requesting a SSL Certificate?
When filling out a request for a SSL Certificate, can the IP address be used for the "Common Name"?
update: We have a new production box that doesn't have a public domain name. Just a public IP. But we need to request a SSL certificate. I'm working on the domain name, but in the meantime, if I can push through a cert request with just the public IP, then I can keep something moving.
Solution 1:
According to: RFC6125 , yes, it is possible. However the SSL client might not be fully compliant and you have to test all your supported SSL clients to see how they are performing the certificate validation.
"The client determines the type (e.g., DNS name or IP address) of the reference identity and performs a comparison between the reference
identity and each subjectAltName value of the corresponding type
until a match is produced. Once a match is produced, the server's
identity has been verified, and the server identity check is
complete. Different subjectAltName types are matched in different
ways. Sections 3.1.3.1 - 3.1.3.3 explain how to compare values of
various subjectAltName types. "
.
"3.1.3.2. Comparison of IP Addresses
When the reference identity is an IP address, the identity MUST be converted to the "network byte order" octet string representation
[IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
string will contain exactly four octets. For IP Version 6, as
specified in RFC 2460, the octet string will contain exactly sixteen
octets. This octet string is then compared against subjectAltName
values of type iPAddress. A match occurs if the reference identity
octet string and value octet strings are identical."
.
" o Identifiers other than fully qualified DNS domain names.
Some certification authorities issue server certificates based on IP addresses, but preliminary evidence indicates that such certificates are a very small percentage (less than 1%) of issued certificates. Furthermore, IP addresses are not necessarily reliable identifiers for application services because of the existence of private internets [PRIVATE], host mobility, multiple interfaces on a given host, Network Address Translators (NATs) resulting in different addresses for a host from different locations on the network, the practice of grouping many hosts together behind a single IP address, etc. Most fundamentally, most users find DNS domain names much easier to work with than IP addresses, which is why the domain name system was designed in the first place. We prefer to define best practices for the much more common use case and not to complicate the rules in this specification. "
See also: https://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using