CA Signed Certificate With No Domain Name

D

dubious

Member
Joined
Nov 18, 2008
Messages
24
Reaction score
0
Location
PTA
Good day all,

I've been tasked to implement SSL on one of our clients servers that runs our web based application. It's the first client to do so and we haven't got too much experience with it. On initial set up I came right with setting up a self-signed certificate, however, the client doesn't like the warning that it displays when users navigate to the page. They now want us to organise them a CA signed certificate.

The web app is on a vm in their network. The production instance is exposed externally and uses Tomcat to serve the application. They have not registered a domain name and just use the external IP address which is set up to then point to the vm with NATting (I'm not too sure on that whole thing as I'm not a networking guru of any kind).

What I'd like to know is if it's possible to get a CA signed certificates when just an IP address is used as the URL and not a domain name? I've been trying to do some investigation into this but there is a lot of stuff coming up and I don't have time to look for the relevant information so if anyone here has any experience...

Thanks in advance
 
dubious said:
Good day all,

I've been tasked to implement SSL on one of our clients servers that runs our web based application. It's the first client to do so and we haven't got too much experience with it. On initial set up I came right with setting up a self-signed certificate, however, the client doesn't like the warning that it displays when users navigate to the page. They now want us to organise them a CA signed certificate.

The web app is on a vm in their network. The production instance is exposed externally and uses Tomcat to serve the application. They have not registered a domain name and just use the external IP address which is set up to then point to the vm with NATting (I'm not too sure on that whole thing as I'm not a networking guru of any kind).

What I'd like to know is if it's possible to get a CA signed certificates when just an IP address is used as the URL and not a domain name? I've been trying to do some investigation into this but there is a lot of stuff coming up and I don't have time to look for the relevant information so if anyone here has any experience...

Thanks in advance
Click to expand...

Yes it is possible, just use the IP address instead of the domain name when generating the CSR.
 
I doubt that anyone would issue a cert on an IP - i.e. the CN being the IP? Just from a revocation perspective or even later on needing to move the app, DNS is surely a better option. Providing a website via IP is generally a poor choice of implementation and should not happen.

In the worst case, use a service such as http://dyn.com/dns/ to sort this out if you don't want to register and maintain your own domain.
 
MagicDude4Eva said:
I doubt that anyone would issue a cert on an IP - i.e. the CN being the IP? Just from a revocation perspective or even later on needing to move the app, DNS is surely a better option. Providing a website via IP is generally a poor choice of implementation and should not happen.

In the worst case, use a service such as http://dyn.com/dns/ to sort this out if you don't want to register and maintain your own domain.
Click to expand...

You definitely can, done it many times before. You just simply use the IP address as the domain name when generating the CSR and ordering your cert.
 
deweyzeph said:
You definitely can, done it many times before. You just simply use the IP address as the domain name when generating the CSR and ordering your cert.
Click to expand...

Interesting - didn't know that. What is the reason for offering a webservice via IP instead of domain name? Makes no sense to me on so many levels (load balancing being one of the most obvious ones).
 
MagicDude4Eva said:
Interesting - didn't know that. What is the reason for offering a webservice via IP instead of domain name? Makes no sense to me on so many levels (load balancing being one of the most obvious ones).
Click to expand...

In this particular instance the web app is only used by 6 or so staff members. The reason it has been exposed externally is so that these users are able to work from outside the company network without the need of a VPN.

Anyway, we were going to look at using Comodo for them because of the affordability and Comodo has some kind of domain validation control. Which CAs allow it to be done on IP alone? And should it be done just by IP what other details would they need?
 
deweyzeph said:
You definitely can, done it many times before. You just simply use the IP address as the domain name when generating the CSR and ordering your cert.
Click to expand...

Always learning something on the forums I like :) . Just wanted to ask how do they validate the owner, because I know for registred domain names they utilise whois lookups and contact the registered owner. How does it work with IPs only? Contact ISP?
 
If they dont like the cert warning, and its only a few people, why not add the CA cert to the trusted list on their machine.
You would probably need to disable CRL's though
 
kianm said:
Always learning something on the forums I like :) . Just wanted to ask how do they validate the owner, because I know for registred domain names they utilise whois lookups and contact the registered owner. How does it work with IPs only? Contact ISP?
Click to expand...

The verification is a major pain. So bad I've blanked it from my memory ...
 
syntax said:
If they dont like the cert warning, and its only a few people, why not add the CA cert to the trusted list on their machine.
You would probably need to disable CRL's though
Click to expand...

I was thinking the same thing, however, their IT manager is the one making the request and he should know that the self-signed certificate can be added to the trusted list on the respective machines. I guess the issue there is the users aren't guaranteed to always use a company issued PC...

I started looking in to OpenSSL yesterday - I know Heartbleed is probably still fresh in peoples minds though... Anyways, does anyone have any experience with using OpenSSL or know of good resources to study up on?

EDIT: Seems I'm being foolilsh and the certificate still needs to be signed by a CA. Makes sense. Duh
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X