Reputation: 267020
can you put SSL on a IP address or only on a web server's domain name?
In a web application, if it doesn't have a domain name (like a web service for example), can you still add a SSL certificate to a IP address?
If yes, how?
Upvotes: 27
Views: 37863
Answers (4)
Reputation: 2047
Yes you can, but it isn't common, probably isn't portable, and usually isn't a great idea...
Public IP Address
An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN), but issuers can still offer SSL certificates for a public IP address, typically declared in the CN and SAN values of the certificate, since historically these are referenced varyingly by different flavours/versions of browser. However the facility might only be offered in premium products, eg an 'Organisation Validated' (OV) Certificate covering a whole organisation, or an 'Extended Validation' (EV) Certificate which requires rigorous vetting when acquired.
Private IP Address Space (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)
In November 2015, the CA/Browser Forum prohibited the use of internal server names and reserved IP addresses in publicly-trusted SSL Certificates. However some issuers do still offer 'Intranet Certificate' services that allow enterprises to continue to issue SSL to internal server names and reserved IP addresses without the need to run their own CA or use self-signed certificates, instead using the issuer's own non-public CAs.
In this scenario it's possible to store internal server names and reserved IP addresses in the CN and SAN values of the certificate. These may also allow options which would otherwise not be permitted under public hierarchies including the use of SHA-1 and 4-5 year certificates etc, furthermore, you can mix internal, FQDNs, sub-domains, wildcard, and public IP addresses in a single certificate under a non-public root.
Upvotes: 0
Reputation: 953
This site offers certificates for IP addresses. You wouldn't be able to (properly) use a certificate for a domain name for an IP address, however.
Upvotes: 4
Reputation:
You can easily put an ip address into the CN (common name) of an ssl certificate by the same procedure you would use for an ordinary hostname (ssl certificates contain hostnames, not domain names).
How this is done precisely in your case cannot be answered, since you have not stated what your case is.
Browsers should match the CN of a certificate against what the user has put into the URL bar. If it's an ip address, it's an ip address.
Upvotes: 31
Reputation: 101
There's some good information here: https://www.thawte.com/ssl-digital-certificates/technical-support/browserfaqs.html
I'm almost certain you need a domain to go with the SSL.
Upvotes: -4
Related Questions
- LetsEncrypt SSL on IP Address
- Are SSL certificates bound to the servers IP address?
- Can I use a self-signed SSL certificate with the domain name www.google.com?
- Should websites with only global ip addresses be ssl?
- is use SSL only on server side safe?
- Is domain name of the server checked during SSL handshake
- Using SSL when browsing to an IP address
- What exactly does "every SSL certificate requires a dedicated IP" mean?
- ssl certificate for several domains, one IP
- Is SSL possible with virtual hosting on one IP?