Securing a public server IP which doesn't have a domain name associated with it

Question

I have a back-end server with a permanent public IP for it. From my finding it looks like I can't have a CA certificate for my public IP, I need to produce a domain name for it and then add an A record. E.g. https://server.my-domain.com But what I want to know is, whether it is possible to have any certificate(self-signed or CA one) to have something like https://my-public-ip and be not be marked as a potential threat by http clients or browsers?

Also If my understanding is correct, a CA cert is needed to prove that the Domain is authentic, and no one is impersonating it. Apart from this purpose self signed certificate should also be good enough just for the encryption purposes? If that is the case, why can't I simply have a self signed certificate (without being flagged) for my public IP, since I already know to which system I'm talking to?

Does this help? https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name — James Wilson, Jan 08 '20 at 10:09

score 0 · Accepted Answer · answered Jan 09 '20 at 09:30

Until someone corrects me, I think I've found my solution. The problem of using self signed certificates with bare IP addresses is again similar to what we see with domain names. A MITM can impersonate the IP address as well similar to domain impersonation. So it is very important to either use CA certs or make sure client already knows what self signed certificates it needs to trust.

So, the problem of self signed certificates with bare IP is solved. Essentially it's as vulnerable as using self signed certificates with any other domain name.

In my case I've to have a CA cert since I cannot control the network from which my clients will try to connect to my server.

Securing a public server IP which doesn't have a domain name associated with it

1 Answers1