Using SSL with an IP address instead of DNS
daniel Mon, 09/10/2012 - 3:49pm
Useful Background links:
- SSLHandshakeException: No subject alternative names present
- How are SSL certificate server names resolved/Can I add alternative names using keytool?
- Keytool manual
- xinotes.org - Using OpenSSL to add Subject Alternative Names to a certificate
We'll build off of this earlier post about creating a self-signed cert and the Subject Alternative Names link above from xinotes.org.
We'll be changing only two commands from the earlier walkthrough.
Create the certificate signing request:
openssl req -new -key server.key -out server.csr
openssl req -new -key server.key -out server.csr -config openssl.cnf
Sign the certificate signing request, and generate the certificate:
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extensions v3_req -extfile openssl.cnf
We'll also need to add a config file. Copy your operating system's openssl.cnf - on ubuntu it is in /etc/ssl - to your working directory, and make a couple of tweaks to it. We need to do this because the openssl tool will not prompt for these attributes. We'll need to make the entries directly in the config file, and we don't want them to propagate to every other cert we make.
I'll just note the changes that need to be done to the ubuntu openssl.cnf. Slightly more info can be found on the xinotes.org link.
- uncomment (by removing the hash mark)
req_extensions = v3_req # The extensions to add to a certificate request
- Modify the v3_req section as follows:
[ v3_req ]
subjectAltName = @alt_names
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
IP.1 = 192.168.1.2