Is it possible to have SSL certificate for IP address not domain name

Question

I want my site to use URLs like http   192 0 2 2     and https   192 0 2 2     for static content to avoid unnecessary cookies in request AND avoid additional DNS request   Is there any way to obtain SSL cert for this purpose

User · Answer

The answer I guess  is yes  Check this link for instance       Issuing an SSL Certificate to a Public IP Address      An SSL certificate is typically issued to a Fully Qualified Domain Name  FQDN  such as  https   www domain com   However  some organizations need an SSL certificate issued to a public IP address  This option allows you to specify a public IP address as the Common Name in your Certificate Signing Request  CSR   The issued certificate can then be used to secure connections directly with the public IP address  e g   https   123 456 78 99

User · Answer

According to this answer  it is possible  but rarely used    As for how to get it  I would tend to simply try and order one with the provider of your choice  and enter the IP address instead of a domain during the ordering process   However  running a site on an IP address to avoid the DNS lookup sounds awfully like unnecessary micro-optimization to me  You will save a few milliseconds at best  and that is per visit  as DNS results are cached on multiple levels   I don t think your idea makes sense from an optimization viewpoint

User · Answer

The short answer is yes  as long as it is a public IP address   Issuance of certificates to reserved IP addresses is not allowed  and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016   According to the CA Browser forum  there may be compatibility issues with certificates for IP addresses unless the IP address is in both the commonName and subjectAltName fields  This is due to legacy SSL implementations which are not aligned with RFC 5280  notably  Windows OS prior to Windows 10     Sources    Guidance on IP Addresses In Certificates CA Browser Forum  Baseline Requirements 1 4 1 CA Browser Forum The  soon to be  not-so Common Name unmitigatedrisk com RFC 5280 IETF     Note  an earlier version of this answer stated that all IP address certificates would be revoked on 1 October 2016  Thanks to Navin for pointing out the error

User · Answer

The answer is yes   In short  it is a subject alternative name  SAN  certificate that contains IPs where you would typically see DNS entries   The certificate type is not limited to Public IPs - that restriction is only imposed by a signing authority rather than the technology   I just wanted to clarify that point   I suspect you really just want to get rid of that pesky insecure prompt on your internal websites and devices without the cost and hassle of giving them DNS names then paying for a CA to issue a cert every year or two   You should NOT be trying to convince the world that your IP address is a reputable website and folks should feel comfortable providing their payment information  Now that we have established why no reputable organization wants to issue this type of certificate  lets just do it ourselves with a self signed SAN certificate   Internally I have a trusted certificate that is deployed to all of our hosts  then I sign this type of certificate with it and all devices become trusted   Doing that here is beyond the scope of the question but I think it relevant to the discussion as the question and solution go hand in hand   To be concise  here is how to generate an individual self signed SAN certificate with IP addresses   Expand the IP list to include your entire subnet and use one cert for everything     bin bash  using  OpenSSL 1 1 1c FIPS  28 May 2019   CentOS Linux release 8 2 2004  C US   ST Confusion   L Anywhere   O Private  Subnet   EMAIL admin company com BITS 2048 CN RFC1918 DOM company com SUBJ  quot  C  C ST  ST L  L O  O CN  CN  DOM quot   openssl genrsa -out ip key  BITS  SAN   n SAN  nsubjectAltName IP 192 168 1 0 IP 192 168 1 1 IP 192 168 1 2 IP 192 168 1 3 IP 192 168 1 4 IP 192 168 1 5 IP 192 168 1 6 IP 192 168 1 7 IP 192 168 1 8 IP 192 168 1 9 IP 192 168 1 10   cp  etc pki tls openssl cnf  tmp openssl cnf echo -e  quot  SAN quot   gt  gt   tmp openssl cnf  openssl req -subj  quot  SUBJ quot  -new -x509 -days 10950       -key ip key -out ip crt -batch       -set serial 168933982       -config  tmp openssl cnf       -extensions SAN  openssl x509 -in ip crt -noout -text

User · Answer

Yep  Cloudflare uses it for its DNS instructions homepage  https   1 1 1 1

User · Answer

The C A Browser forum sets what is and is not valid in a certificate  and what CA s should reject   According to their Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates document  CAs must  since 2015  not issue certificats where the common name  or common alternate names fields contains a reserved IP or internal name  where reserved IP addresses are IPs that IANA has listed as reserved - which includes all NAT IPs - and internal names are any names that don t resolve on the public DNS   Public IP addresses CAN be used  and the baseline requirements doc specifies what kinds of checks a CA must perform to ensure the applicant owns the IP

User · Answer

It entirely depends upon the Certificate Authority who issuing a certificate   As far as Let s Encrypt CA  they wont issue TLS certificate on public IP address   https   community letsencrypt org t certificate-for-public-ip-without-domain-name 6082  To know your Certificate authority   you can execute following command and look for an entry marked below   curl -v -u  lt username gt   lt password gt   https   IPaddress

[https] Is it possible to have SSL certificate for IP address, not domain name?

Examples related to https

Examples related to dns

Examples related to ip-address

Examples related to ssl-certificate