23

Is it possible to do self signed certification a website without domain name? I have read that let'sencrypt.org does not issue certificate for having no domain name.

Aisha atique
  • 551
  • 2
  • 5
  • 16

2 Answers2

18

If you want a certificate from LetsEncrypt that would be trusted by most browsers you need a domain that resolves to your server. LetsEncrypt does not issue certs for IP addresses nor for custom dev-domains like .local.

You can of course create and sign a certificate yourself, for every domain name you want, or even for IP addresses. The domain name can be anything, and doesn't necessarily be the one you use to access the site. The webserver won't mind. Your browser will display a lot of warnings, though (CN mismatch, non-trusted signature-path), but if you skip/ignore those you can access your site via HTTPS.

For local development certificates there also is the tool mkcert, which even makes your browser trust them by adding a local CA.

Tobias K.
  • 2,997
  • 2
  • 12
  • 29
  • Thanks, also by creating a self sign certificate directly for IP address expose to others security threats? – Aisha atique Jul 15 '18 at 18:01
  • For the strength of the encryption used it doesn't matter whether it's self-signed, LetsEncrypt, purchased, or whether it is for IP or domain name. Security is not only encryption though, but also the authenticity of your webpage. By using a self-signed certificate and ignoring the security warnings it can be easier for an attacker to pull of a MITM attack using another self-signed cert of his, as you will likely "blindly" ignore the browser warnings that are implemented to prevent this. – Tobias K. Jul 15 '18 at 20:00
10

self-sign the certificates

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

by running this command two files are created cert.pem and key.pem , in this process it will ask few questions which are necessary to create certificate . Since we have passed days argument as 365, it is valid for another one year.

Use the key files to certify ip example: 127.0.0.1 or 54.198.xx.xx (EC2 instance IP)

The certificate generated is of x509 standard

user2297550
  • 3,142
  • 3
  • 28
  • 39
Nikil Munireddy
  • 278
  • 4
  • 8
  • 6
    Not really answering the question. – Stefan Becker Feb 08 '19 at 18:05
  • 12
    @StefanBecker the answer to the question (verbatim) "is it possible..." is "yes", and this answer goes above the call of duty and even explains how to self-sign without a domain name which is what asker really wanted. Answer is fine. – Ruzihm Sep 10 '20 at 21:36
  • 1
    "self-sign" needs the hyphen. – GeneC Jun 14 '21 at 23:44