Home / server / Questions / 359142
Accepted
zentenk
Asked: 2012-02-12 08:03:31 +0800 CST

SSL cert without a domain name

  • 772

I am creating a webapp that I intend to be only accessible through its ip and port. It will be accessed externally.

e.g. xxx.xxx.xxx.xxx:8888

I want to enable SSL on the website, is it possible without a domain name?

ssl

3 Answers

  1. Best Answer

    Having the common name be an IP instead of a DNS name is technically allowed, but I don't think I've ever seen it implemented. If you're making the cert yourself, it should work. If you're having one purchased from a third party, you might have a tough time.

    Why wouldnt you just use a DNS name for the server instead? I wouldn't type any info into a site that was only an IP, SSL or not.

    • 1

  2. Yes, and the name does not even have to match, provided your users accept the certificate.

    • 1

  3. You might be interested in this answer on StackOverflow.

    From RFC 2818 (Section 3.1) (HTTPS/HTTP over TLS):

    If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

    [...]

    In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

    This means that, for an IP address to work, it needs to be in an Subject Alternative Name entry of type IP address. Unlike with host names, where SANs are preferred but it can fall back on the CN in the Subject DN, the SAN entry is not optional when using an IP address. (This being said, some browsers might be a bit flexible when it comes to implementing that rule.)

    • 0