Is it possible to have SSL certificate for IP address, not domain name?

Question

I want my site to use URLs like http://192.0.2.2/... and https://192.0.2.2/... for static content to avoid unnecessary cookies in request AND avoid additional DNS request.

Is there any way to obtain SSL cert for this purpose?

[This question](http://stackoverflow.com/a/8444863/372643) may be of interest: you can but the IP address should be in a SAN entry of IP address type, not in the CN of the Subject DN. — Bruno, Aug 07 '12 at 15:12
LetsEncrypt doesn't do so . """" x.x.x.x is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.""" — kommradHomer, Jun 12 '17 at 12:54
C/A Browser Forum provides one set of issuing policies. Obviously, it is followed by browsers. CA/B no longer allows IP addresses. Another set of issuing policies is maintained by the IETF. The IETF's PKI is called PKIX. PKIX allows IP addresses. PKIX is followed by most [free?] software, like cURL and Wget. I can't quite figure out the cert for [1.1.1.1](https://1.1.1.1/). It should be forbidden according to CA/B policies. Maybe CA/B changed their policies. — jww, Mar 14 '19 at 08:25
@jww: as several answers correctly say, CABforum prohibits **Reserved** IP Addresses -- mostly the private ranges in RFC1918 and RFC6598 plus a few others like 127 for localhost and the examples in documentation. They explicitly allow _Public_ IP Addresses; see BR 3.2.2.5. — dave_thompson_085, Jan 23 '21 at 06:39

score 249 · Accepted Answer · edited May 23 '17 at 12:03

249

According to this answer, it is possible, but rarely used.

As for how to get it: I would tend to simply try and order one with the provider of your choice, and enter the IP address instead of a domain during the ordering process.

However, running a site on an IP address to avoid the DNS lookup sounds awfully like unnecessary micro-optimization to me. You will save a few milliseconds at best, and that is per visit, as DNS results are cached on multiple levels.

I don't think your idea makes sense from an optimization viewpoint.

edited May 23 '17 at 12:03

Community

1
1

answered Jan 11 '10 at 17:41

Pekka

442,112
142
972
1,088

13

AFAIK, 1 time per minute (Firefox DNS cache) and 1 time per 30 minutes for IE. This differs from TTL of DNS records. Also it takes about 20ms for me, depending on domain and how fast are NS servers (which are also to be resolved first :) ) I also want to avoid my lengthy cookies (my auth + Google Analytics cookies) for each static request. So using IP instead of purchasing separate domain is good. BTW, stackoverflow, basecamphq use separate domain for static content. Using IP instead will remove unnecessary DNS request(s) also. – Evgenyt Jan 11 '10 at 18:07
17

I absolutely see your point with the cookies, you're totally right. But to switch to a SSL IP to save the few ms of DNS lookup sounds more hassle to me than it's worth. Plus, you may have issues taking your IP with you if you ever have to change your provider - it's probably not possible. Moving a domain is much easier, and it should be possible to move a certificate with it halfway easily. – Pekka Jan 11 '10 at 18:10
2

Google's Page Speed tool always suggests to "Serve the following JavaScript resources from the same host as the main document (xxxx.com), or defer loading of these resources if possible". I'm not rating Page Speed tool as bible, but anyway that means DNS optimization was not invented by me. I'm just trying to make my Page Speed checklist green where possible. – Evgenyt Jan 11 '10 at 18:36
14

@Evgenyt: I don't think that's because of the DNS lookup, which as stated is cached on so many levels that it can't be a performance issue. More likely it is to enable browsers to pipeline their requests. Keeping the connection to the host open, thus avoiding the setup of additional connections. – vdstw Dec 18 '11 at 16:58
@Pekka웃, Does HTTPS for IP work for the major "world-recognized" CAs or do you mean that they only work for "self" CAs? – Pacerier Oct 10 '14 at 15:37
1

Running into a situation where this is required. VMware view remote virtual desktops. user logs into "broker", which assigns a windows VM *by ip address*. User's remote desktop client is started up and told to connect to a particular IP. (in some cases, PCoIP instead of remote desktop, but remote desktop is definitely possible and i guess in some cases desirable.) – Dan Pritts Nov 20 '14 at 16:12
6

I agree with the answer. Also, we found an issue with such configuration. Turned out, Chrome browser (39.0.2171.93) on Android OS (4.4,5.0; works on 4.0,4 ) doesn't play audio files via HTTPS if IP address is used as certificate target. We used to use such configuration for our test environment, but will start using domain names. – ENargit Jan 21 '15 at 12:51
It seems that you won't create IP SSL certificates anymore: https://uk.godaddy.com/help/can-i-request-a-certificate-for-an-intranet-name-or-ip-address-6935 – Mariy Oct 03 '16 at 16:30
What if I need SSL for my IOT hardware server which mostly used locally in same network and it has got domain https://myiot.local. Is it possible in this case to create SSL without warning. – Rajendra Jan 19 '18 at 06:55
Another issue arises when the ip changes. Which happens once a month or so with an isp. – Timo Apr 05 '18 at 15:08
"Internal Name" and private IP certificates were deprecated in October 2016 according to the CA Browser Forum. – Chris Becke Feb 11 '19 at 12:50
@Mariy You can fully acquire certificates for (public) IP addresses from some CAs (GoDaddy is not the only one), even if they are not a lot of them. But most of the time it is not worth the effort, as IP addresses in HTTPS links are not a good idea. Otherwise see my other answer that gives more details (about IPv6 in fact, but all of it applies to IPv4): https://serverfault.com/a/981111/396475 – Patrick Mevzek Sep 24 '19 at 20:15
1

@Timo Server can easily have fixed public IP; see documentation for AWS and GCE. – Franklin Yu Oct 12 '19 at 05:00
@AttilaSzeremi https://8.8.8.8 is also famous. (Although it redirects away, it has a valid certificate.) – Franklin Yu Oct 12 '19 at 05:03
The link you provided didn't actually _solve_ the answer. So that's not helpful. – Sam Sverko Oct 16 '19 at 21:28
I don't see why you shouldn't have a certificate for an IP. Making use of HTTPS isn't just to have that `s` in the URL or show up higher on Google, it's for encryption. In many cases, you will have servers communicating with each other over a private network with static local IPs. Furthermore, IPs like 1.1.1.1 and 8.8.8.8 are used for marketing, especially the former. What if I have another nice IP that I want to have SSL for? Even if all you want is to redirect requests from the direct IP, modern browsers will by default try to use https even if the host is an IP address. – undefined Sep 25 '21 at 02:10
"Premature optimization is the root of all evil" - Knuth – cryanbhu Oct 15 '21 at 06:56

score 87 · Answer 2 · edited Mar 20 '18 at 22:58

87

The short answer is yes, as long as it is a public IP address.

Issuance of certificates to reserved IP addresses is not allowed, and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016.

According to the CA Browser forum, there may be compatibility issues with certificates for IP addresses unless the IP address is in both the commonName and subjectAltName fields. This is due to legacy SSL implementations which are not aligned with RFC 5280, notably, Windows OS prior to Windows 10.

Sources:

Guidance on IP Addresses In Certificates CA Browser Forum
Baseline Requirements 1.4.1 CA Browser Forum
The (soon to be) not-so Common Name unmitigatedrisk.com
RFC 5280 IETF

_{Note: an earlier version of this answer stated that all IP address certificates would be revoked on 1 October 2016. Thanks to Navin for pointing out the error.}

edited Mar 20 '18 at 22:58

Robbie JW

729
1
9
22

answered May 06 '16 at 03:13

regdoug

1,163
9
9

6

Not true, globalsign still issues certs for IPs. The Certificate Authority/Browser Forum doesn't like seeing private IPs in certs but has nothing against public IPs. – Navin Oct 21 '16 at 18:10
1

It looks like my info may be out of date. I'll look into it more and then edit it if you are correct. – regdoug Dec 17 '16 at 23:44
1

Not true, look at https://1.1.1.1 They get an SSL cert for ip in 2019 and valid to 2021 from DigiCert – bronze man Aug 28 '19 at 02:07
2

@bronzeman that is a public IP address so, yes you can get a certificate for it. The only addresses which cannot be issued a certificate are https://en.wikipedia.org/wiki/Reserved_IP_addresses – regdoug Sep 16 '19 at 17:24
@DustWolf, per RFC 5280, "When the subjectAltName extension contains an iPAddress, the address MUST be stored in the octet string in "network byte order", as specified in [RFC791]. ... For IP version 4..., the octet string MUST contain exactly four octets." In short, you can't use a subnet in the subjectAltName field – regdoug Dec 04 '19 at 21:19
IPs from 172.16/12 also cannot be used it seems, Chrome yields a Common name invalid error. @regdoug corrected comment. – DustWolf Dec 06 '19 at 14:40
@DustWolf: as already stated CABforum prohibits _reserved_ IP addresses, which includes RFC1918 ranges 10/8 172.16/12 192.168/16 – dave_thompson_085 Jan 23 '21 at 07:32

score 48 · Answer 3 · answered Aug 24 '18 at 13:19

48

Yep. Cloudflare uses it for its DNS instructions homepage: https://1.1.1.1

answered Aug 24 '18 at 13:19

mehulmpt

15,861
12
48
88

16

This isn't quite what it seems. If you inspect the cert, the `Common Name` field is `cloudflare-dns.com` and `1.1.1.1` is only listed under `Certificate Subject Alt Name`. – bitinerant Feb 15 '19 at 18:46
13

@bitinerant the [Common Name will be ignored if a Subject Alterntive Name is present](https://blog.confirm.ch/ssl-certificates-with-subjectalternativename-san/). In fact, the Common Name is deprecated and only the SAN is really relevant. – Yogu Aug 17 '19 at 17:44

score 41 · Answer 4 · edited Feb 24 '16 at 22:19

41

The answer I guess, is yes. Check this link for instance.

Issuing an SSL Certificate to a Public IP Address

An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.domain.com". However, some organizations need an SSL certificate issued to a public IP address. This option allows you to specify a public IP address as the Common Name in your Certificate Signing Request (CSR). The issued certificate can then be used to secure connections directly with the public IP address (e.g., https://123.456.78.99.).

edited Feb 24 '16 at 22:19

Zizouz212

4,908
5
42
66

answered Jan 11 '10 at 17:42

Klaus Byskov Pedersen

117,245
29
183
222

6

Does it work too with static private IP? Like for a LAN? – Mr Bonjour Mar 03 '16 at 08:18
@Klaus Byskov Pedersen Could you please provide me with a resource on how to do this? – reyhane Aug 26 '19 at 04:57
2

@ShivSingh Any source? I don't think any well-known CA would issue certificate to private IP address. – Franklin Yu Oct 12 '19 at 06:43
@reyhane Take a look at the concept https://superuser.com/questions/630914/can-i-be-a-root-certificate-authority-for-my-local-network and then use hashicorp vault for certificate authority lifecycle management and certificate issuance: https://www.vaultproject.io/docs/secrets/pki – yurisich Feb 04 '21 at 13:46

Josiah DeWitt · Answer 5 · 2020-10-20T18:47:08.047

The answer is yes. In short, it is a subject alternative name (SAN) certificate that contains IPs where you would typically see DNS entries. The certificate type is not limited to Public IPs - that restriction is only imposed by a signing authority rather than the technology. I just wanted to clarify that point. I suspect you really just want to get rid of that pesky insecure prompt on your internal websites and devices without the cost and hassle of giving them DNS names then paying for a CA to issue a cert every year or two. You should NOT be trying to convince the world that your IP address is a reputable website and folks should feel comfortable providing their payment information. Now that we have established why no reputable organization wants to issue this type of certificate, lets just do it ourselves with a self signed SAN certificate. Internally I have a trusted certificate that is deployed to all of our hosts, then I sign this type of certificate with it and all devices become trusted. Doing that here is beyond the scope of the question but I think it relevant to the discussion as the question and solution go hand in hand. To be concise, here is how to generate an individual self signed SAN certificate with IP addresses. Expand the IP list to include your entire subnet and use one cert for everything.

#!/bin/bash
#using: OpenSSL 1.1.1c FIPS  28 May 2019 / CentOS Linux release 8.2.2004

C=US ; ST=Confusion ; L=Anywhere ; O=Private\ Subnet ; EMAIL=admin@company.com
BITS=2048
CN=RFC1918
DOM=company.com
SUBJ="/C=$C/ST=$ST/L=$L/O=$O/CN=$CN.$DOM"

openssl genrsa -out ip.key $BITS

SAN='\n[SAN]\nsubjectAltName=IP:192.168.1.0,IP:192.168.1.1,IP:192.168.1.2,IP:192.168.1.3,IP:192.168.1.4,IP:192.168.1.5,IP:192.168.1.6,IP:192.168.1.7,IP:192.168.1.8,IP:192.168.1.9,IP:192.168.1.10'

cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
echo -e "$SAN" >> /tmp/openssl.cnf

openssl req -subj "$SUBJ" -new -x509 -days 10950 \
    -key ip.key -out ip.crt -batch \
    -set_serial 168933982 \
    -config /tmp/openssl.cnf \
    -extensions SAN

openssl x509 -in ip.crt -noout -text

that is the domain, I've edited the code to include it. Note however the CN is largely irrelevant since what we are trying to do is provide a certificate for IP addresses. I should have excluded it altogether. — Josiah DeWitt, Oct 20 '20 at 18:51
In Ubuntu 20.04.3 I found `openssl.cnf` in `/usr/lib/ssl/` which although turns out to be a symlink, is still the location provided by `openssl version -d`. — Heath Raftery, Sep 28 '21 at 06:29
For what it's worth, today Safari warns the certificate is not valid but allows you to proceed, while Opera also considers it invalid and refuses to continue. There may be workarounds via modifying the client's trusted certificate list. But sigh, the SSL scurge continues to tighten its grip. — Heath Raftery, Sep 28 '21 at 07:14

score 7 · Answer 6 · answered Feb 26 '20 at 14:08

It entirely depends upon the Certificate Authority who issuing a certificate.

As far as Let's Encrypt CA, they wont issue TLS certificate on public IP address. https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082

To know your Certificate authority , you can execute following command and look for an entry marked below.

curl -v -u <username>:<password> "https://IPaddress/.."

score 6 · Answer 7 · answered Feb 11 '19 at 13:04

The C/A Browser forum sets what is and is not valid in a certificate, and what CA's should reject.

According to their Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates document, CAs must, since 2015, not issue certificats where the common name, or common alternate names fields contains a reserved IP or internal name, where reserved IP addresses are IPs that IANA has listed as reserved - which includes all NAT IPs - and internal names are any names that don't resolve on the public DNS.

Public IP addresses CAN be used (and the baseline requirements doc specifies what kinds of checks a CA must perform to ensure the applicant owns the IP).

Is it possible to have SSL certificate for IP address, not domain name?

7 Answers7

Linked

Related