CA Signed Certificate With No Domain Name

dubious

Member
Joined
Nov 18, 2008
Messages
24
Good day all,

I've been tasked to implement SSL on one of our clients servers that runs our web based application. It's the first client to do so and we haven't got too much experience with it. On initial set up I came right with setting up a self-signed certificate, however, the client doesn't like the warning that it displays when users navigate to the page. They now want us to organise them a CA signed certificate.

The web app is on a vm in their network. The production instance is exposed externally and uses Tomcat to serve the application. They have not registered a domain name and just use the external IP address which is set up to then point to the vm with NATting (I'm not too sure on that whole thing as I'm not a networking guru of any kind).

What I'd like to know is if it's possible to get a CA signed certificates when just an IP address is used as the URL and not a domain name? I've been trying to do some investigation into this but there is a lot of stuff coming up and I don't have time to look for the relevant information so if anyone here has any experience...

Thanks in advance
 

deweyzeph

Executive Member
Joined
Apr 17, 2009
Messages
9,976
Good day all,

I've been tasked to implement SSL on one of our clients servers that runs our web based application. It's the first client to do so and we haven't got too much experience with it. On initial set up I came right with setting up a self-signed certificate, however, the client doesn't like the warning that it displays when users navigate to the page. They now want us to organise them a CA signed certificate.

The web app is on a vm in their network. The production instance is exposed externally and uses Tomcat to serve the application. They have not registered a domain name and just use the external IP address which is set up to then point to the vm with NATting (I'm not too sure on that whole thing as I'm not a networking guru of any kind).

What I'd like to know is if it's possible to get a CA signed certificates when just an IP address is used as the URL and not a domain name? I've been trying to do some investigation into this but there is a lot of stuff coming up and I don't have time to look for the relevant information so if anyone here has any experience...

Thanks in advance

Yes it is possible, just use the IP address instead of the domain name when generating the CSR.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
I doubt that anyone would issue a cert on an IP - i.e. the CN being the IP? Just from a revocation perspective or even later on needing to move the app, DNS is surely a better option. Providing a website via IP is generally a poor choice of implementation and should not happen.

In the worst case, use a service such as http://dyn.com/dns/ to sort this out if you don't want to register and maintain your own domain.
 

deweyzeph

Executive Member
Joined
Apr 17, 2009
Messages
9,976
I doubt that anyone would issue a cert on an IP - i.e. the CN being the IP? Just from a revocation perspective or even later on needing to move the app, DNS is surely a better option. Providing a website via IP is generally a poor choice of implementation and should not happen.

In the worst case, use a service such as http://dyn.com/dns/ to sort this out if you don't want to register and maintain your own domain.

You definitely can, done it many times before. You just simply use the IP address as the domain name when generating the CSR and ordering your cert.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
You definitely can, done it many times before. You just simply use the IP address as the domain name when generating the CSR and ordering your cert.

Interesting - didn't know that. What is the reason for offering a webservice via IP instead of domain name? Makes no sense to me on so many levels (load balancing being one of the most obvious ones).
 

dubious

Member
Joined
Nov 18, 2008
Messages
24
Interesting - didn't know that. What is the reason for offering a webservice via IP instead of domain name? Makes no sense to me on so many levels (load balancing being one of the most obvious ones).

In this particular instance the web app is only used by 6 or so staff members. The reason it has been exposed externally is so that these users are able to work from outside the company network without the need of a VPN.

Anyway, we were going to look at using Comodo for them because of the affordability and Comodo has some kind of domain validation control. Which CAs allow it to be done on IP alone? And should it be done just by IP what other details would they need?
 

kianm

Honorary Master
Joined
Jan 13, 2014
Messages
10,533
You definitely can, done it many times before. You just simply use the IP address as the domain name when generating the CSR and ordering your cert.

Always learning something on the forums I like :) . Just wanted to ask how do they validate the owner, because I know for registred domain names they utilise whois lookups and contact the registered owner. How does it work with IPs only? Contact ISP?
 

syntax

Executive Member
Joined
May 16, 2008
Messages
8,382
If they dont like the cert warning, and its only a few people, why not add the CA cert to the trusted list on their machine.
You would probably need to disable CRL's though
 

biometrics

Honorary Master
Joined
Aug 7, 2003
Messages
71,858
Always learning something on the forums I like :) . Just wanted to ask how do they validate the owner, because I know for registred domain names they utilise whois lookups and contact the registered owner. How does it work with IPs only? Contact ISP?

The verification is a major pain. So bad I've blanked it from my memory ...
 

dubious

Member
Joined
Nov 18, 2008
Messages
24
If they dont like the cert warning, and its only a few people, why not add the CA cert to the trusted list on their machine.
You would probably need to disable CRL's though

I was thinking the same thing, however, their IT manager is the one making the request and he should know that the self-signed certificate can be added to the trusted list on the respective machines. I guess the issue there is the users aren't guaranteed to always use a company issued PC...

I started looking in to OpenSSL yesterday - I know Heartbleed is probably still fresh in peoples minds though... Anyways, does anyone have any experience with using OpenSSL or know of good resources to study up on?

EDIT: Seems I'm being foolilsh and the certificate still needs to be signed by a CA. Makes sense. Duh
 
Last edited:
Top