14

I have an unusual use case :

  • a web server on the Internet is serving pages through HTTPS,
  • inside those web pages, there are calls to XMLHttpRequests to a locally connected device (IP over USB)
    • the device supports both HTTP and HTTPS,
    • the device is accessible on http(s)://192.168.0.1
  • the http calls fail because of insecure content in a https page,
  • the https calls fail because the certificate is not trusted (self-signed),

Side question: Since the device is locally connected to the PC, the encryption is pretty useless: Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

Main question: Is it possible to obtain a certificate for a private IP address ?

Edit: it seems that Plex had a similar problem and solved it the way described on this blog. This is a way too big for me.

Xvolks
  • 2,065
  • 1
  • 21
  • 32

2 Answers2

11

Is it possible to obtain a certificate for a private IP address ?

A certificate can be bound to an IP address (see this). You can issue a self-signed certificate to a private address, but a trusted CA will not issue a certificate to a private address because it can not verify its identity.

For example a certificate issued to 192.168.0.1 would be theoretically valid in any context, and this should not be allowed by a trusted CA

Plex solves the problem with a Dynamic DNS and a wildcard certificate. The connection are done using the name (not the IP) of the device which is resolved to the private IP

Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

No, it does not exist. The browser blocks your XHR connections because they are HTTP connections initiated from a HTTPS page (mixed-content warning). Non-secure content can theoretically be read or modified by attackers, even though the parent page is served over HTTPs, so is normal and recommended that the browser warns the user.

To fix the mixed-content and https errors, you could serve the content through HTTPS and a self-signed certificate, and request users to import your root CA at browser.

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • You confirm my investigations. Importing a root CA is always a pain for our customers. I wonder if we could use Plex solution (the price of the wildcard certificate could be a problem for a very small number of users). – Xvolks Jul 01 '16 at 07:10
  • You can buy a wildcard for a few hundred $ / €. I guess if you always use 192.168.0.1, you can map 'localdevice.yourdomain.com' in a public DNS. The complexity of Plex seems reside in using dynamic DNS with the hash of their devices – pedrofb Jul 01 '16 at 07:23
  • That's right, the hash system is here to bind a certificate to only one user. In the other hand, I do not need the hash system, since the device is not connected to the internet. It is bound to the user by the USB wire. – Xvolks Jul 01 '16 at 07:28
  • para3: 'should be allowed' -> 'should NOT be allowed'! Also 'teorically' is not a word; I guess you meant 'theoretically'. – dave_thompson_085 Dec 19 '18 at 05:15
5

An SSL certificate cannot be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix.

You could however use a 'self-signed' certificate. Here's how to create one:

Creating a Self-signed Certificate for a private IP (example https://192.168.0.1) :

  1. You need OpenSSL installed. For example, on Ubuntu, you could install it by: sudo apt-get install openssl (It may already be installed. Type "openssl version" to find out) For Windows, you could try this: https://slproweb.com/products/Win32OpenSSL.html

  2. Once OpenSSL is installed, go to OpenSSL prompt by entering 'openssl' on the console (LINUX), or the cmd prompt (WINDOWS).

    $ openssl

    OpenSSL>

  3. Now do the following steps to create: Private key, Certificate Request, Self-signing the certificate, and putting it all together, by using the below commands:

i) Create KEY called mydomain.key:

OpenSSL> genrsa -out mydomain.key 2048

ii) Use the key to create a Certificate request called mydomain.csr You could accept the default options, or specify your own information:

OpenSSL> req -new -key mydomain.key -out mydomain.csr

iii) use the above to create a certificate:

OpenSSL> x509 -req -days 1825 -in mydomain.csr -signkey mydomain.key -out mydomain.crt

iv) Put all the above to create a PEM certificate: exit OpenSSL (OpenSSL> q) and go to certificate location and do:

$ sudo cat mydomain.key mydomain.crt >> mylabs.com.pem

mylabs.com.pem is your self-signed certificate. You can use this in requests like https://192.168.0.1 if your server supports https. Remember to check the port number for https(443).

Murugan Viswanathan
  • 51
  • 1
  • 4
  • 5
    It is not clear how this is relevant to the private IP 192.168.0.1. That value does not appear in any of the commands. Are you saying a cert generated this way will work for any reserved IP? – Tom Oct 07 '20 at 04:57
  • The private IP 192.168.0.1 shown is for illustration. Example, when you try to access the Gateway from you LAN client. This IP is irrelevant as you have mentioned. The question asked was about securing a private IP network. using the above example a self-signed certificate can be generated and used for that. – Murugan Viswanathan May 18 '21 at 01:33
  • This does not answer my question at all. I did not downvote it since it may be useful for others with different needs than mine (see my first comment in @pedrofb answer). – Xvolks Apr 13 '22 at 15:58
  • "An SSL certificate cannot be issued for Reserved IP addresses" Then how do MMO games exchange encrypted data over the internet so that no MITM messes with it? –  May 19 '22 at 22:27