Does Secure Gateway Client support self-signed cert which CN is IP address?

Question

I set up Secure Gateway's destination with HTTPS option + Client TLS: enabled in order to access remote HTTPS REST API which CN is IP address.

enter image description here

When I executed a trx, the Secure Gateway Client got the error "IP: 192.168.56.1 is not in the cert's list:". There was no information of CN name. If the cert had not been uploaded to SG, the error message was to be "DEPTH_ZERO_SELF_SIGNED_CERT" regarding the "Secure Gateway client troubleshooting". So I think the cert was uploaded correctly, but CN was not resolved by SG Client.

Secure Gateway client troubleshooting
https://www.ng.bluemix.net/docs/troubleshoot/SecureGateway/ts_index-gentopic1.html#ts_sg_010

Could you teach me whether Secure Gateway Client support self-signed cert which CN is IP address or not ?

Secure Gateway Client's log

[2015-07-06 08:16:26.548] [INFO] Connection #55 is being established to 192.168.56.1:443
[2015-07-06 08:16:26.580] [INFO] Connection #55 established to 192.168.56.1:443
[2015-07-06 08:16:26.656] [ERROR] Connection #55 to destination
192.168.56.1:443 had error: IP: 192.168.56.1 is not in the cert's list:
[2015-07-06 08:16:26.676] [INFO] Connection #55 to 192.168.56.1:443 was closed

uploaded cert file
CN=192.168.56.1, OU=demo, O=qit, L=hakozaki, S=tokyo, C=Japan
enter image description here

score 0 · Answer 1 · edited May 23 '17 at 12:01

If you look at the error message it does not say CN, (e.g. [ERROR] Connection # had error: Host: . is not cert's CN: ), but the cert's list, which leads me to believe you have generated your self-signed cert incorrectly. The problem is generating the cert using an FQDN or CN with an IP_Address. This will not work since IP addresses are only supported when using SAN.

Method for generating a certificate with an IP as the CN with openssl:

1) create an openssl config file, I copied mine from /usr/lib/ssl/openssl.cnf

2) Add an alternate_names section to the file like below:

[ alternate_names ]
IP.1 = <my application's ip>

3) In the [ v3_ca ] section, add this line:

subjectAltName = @alternate_names

4) Under the CA_default section, uncomment copy_extensions:

# Extension copying option: use with caution.
copy_extensions = copy

5) Gen private key: openssl genrsa -out private.key 3072

6) Gen certificate with options about organization: openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730 -config

7) Combine the files: cat private.key certificate.pem > SAN.pem

8) Load the SAN.pem file into your destination as the client-TLS cert.

9) Load the SAN.pem file into your on-premises application and restart.

10) Your destination can be configured for either TCP, HTTP or HTTPS and you cloud side application should now be able to connect to your on-premises application.

Got this from: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?

Yes. I added information about my cert in my question. Is there any cause ? — shimac-jp, Jul 12 '15 at 14:06
Reproducing what you have done in the lab using an IP address, HTTPS + ClientTLS, will let you know what I find out as soon as this is completed. — doktoroblivion, Jul 13 '15 at 11:47
I have replicated your issue and we formulating a fix for you at this time. Will let you know when we have a fix. — doktoroblivion, Jul 20 '15 at 20:11
We have a defect open for the issue, will post here when a fix is ready. — doktoroblivion, Jul 20 '15 at 20:38

Does Secure Gateway Client support self-signed cert which CN is IP address?

1 Answers1