Reputation: 83
Certificate CN as IPv6 address in square brackets
Can we generate a certificate with IPv6 addresss in square brackets in CN ?
For eg. : CN = [2001:100:1000:1000:20c:29ff:fe88:88ab]
Upvotes: 1
Views: 2509
Answers (3)
Reputation:
IP addresses do not get stored as a CN, they have their own specific IP place they belong. See the example at https://[2606:4700:4700::1111]/
Here's how to make the CSR:-
openssl req -new -sha256 -nodes -out d.ip6only.com.csr -newkey rsa:2048 -keyout d.ip6only.com.key -config <(echo -e "[req]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\nreq_extensions = req_ext\ndistinguished_name = dn\n\n[ dn ]\nC=US\nST=Texas\nL=Houston\nO=Example\nOU=Example\nemailAddress=abuse@Example\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\n[ alt_names ]\nIP.1 = 2a22:3071:1:2:2d00::3\n")
Upvotes: 1
Reputation: 191
I'm unsure what Mr. Ullrich means by "...but it [SAN] will not verify an IP address...", as the SAN can contain any type of OID otherName:*, as well as dirName:*, IP.*, DNS.*, and email.*.
If a SAN contains IP.1 = 192.168.1.1 and DNS.1 = your.ddns.com, navigating to either will verify the IP or DNS as a valid.
Upvotes: 0
Reputation: 123320
IP addresses in CN will not be checked, you have to use subjectAltName Extension to store IPv4 and IPv6 addresses.
Upvotes: 1
Related Questions
- How to sign an SSL certificate for an IP address?
- Node.js IPv6 issue
- why does the peer certificate CN does not match the CN='35.246.68.234'?
- Strange symbols in IPv6 address in Java
- Trust SSL certificate with IPv6 address
- SSL Certificate issue: CN entry doesn't match with hostname in URL
- How to use IPv6 with NodeJS https.request()
- Certificate Signing Request - relevance of CN for code signing
- Why does Node.js accept IP addresses in certificates only for SAN, not for CN?
- Which format to use for the CN & DNS fields in a SSL certificate for an IDN?