Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing a private IP address (https certificate)

Tags:

ssl

cross-domain

I have an unusual use case :

  • a web server on the Internet is serving pages through HTTPS,
  • inside those web pages, there are calls to XMLHttpRequests to a locally connected device (IP over USB)
    • the device supports both HTTP and HTTPS,
    • the device is accessible on http(s)://192.168.0.1
  • the http calls fail because of insecure content in a https page,
  • the https calls fail because the certificate is not trusted (self-signed),

Side question: Since the device is locally connected to the PC, the encryption is pretty useless: Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

Main question: Is it possible to obtain a certificate for a private IP address ?

Edit: it seems that Plex had a similar problem and solved it the way described on this blog. This is a way too big for me.

like image 299
Xvolks Avatar asked Jun 30 '16 14:06

Xvolks

People also ask

Can I get an SSL certificate for a private IP address?

An SSL certificate can't be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix. Extended Validated (EV) SSL are not permitted to be issued for an IP address.

Can you use HTTPS with an IP address?

The short answer is yes, but we don't recommend it. If your IP address changes your SSL certificate can become useless. If you decide that you really need an IP in your cert there are specific stipulations, conditions, and limitations to consider.

Is an SSL certificate tied to an IP address?

An SSL Certificate is usually issued to a domain name and not an IP address. So long as your web server is hosting the domain name for which your SSL Certificate has been issued, the IP address doesn't matter.

Can you assign a certificate to an IP address?

Yes, however, only for Organizational Validated (OV) certificate types, and only for IP Addresses. Extended Validation (EV) certificates may not be issued with the use of IP Addresses or Internal Server Names.

1 Answers

An SSL certificate cannot be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix.

You could however use a 'self-signed' certificate. Here's how to create one:

Creating a Self-signed Certificate for a private IP (example https://192.168.0.1) :

  1. You need OpenSSL installed. For example, on Ubuntu, you could install it by: sudo apt-get install openssl (It may already be installed. Type "openssl version" to find out) For Windows, you could try this: https://slproweb.com/products/Win32OpenSSL.html

  2. Once OpenSSL is installed, go to OpenSSL prompt by entering 'openssl' on the console (LINUX), or the cmd prompt (WINDOWS).

    $ openssl

    OpenSSL>

  3. Now do the following steps to create: Private key, Certificate Request, Self-signing the certificate, and putting it all together, by using the below commands:

i) Create KEY called mydomain.key:

OpenSSL> genrsa -out mydomain.key 2048

ii) Use the key to create a Certificate request called mydomain.csr You could accept the default options, or specify your own information:

OpenSSL> req -new -key mydomain.key -out mydomain.csr

iii) use the above to create a certificate:

OpenSSL> x509 -req -days 1825 -in mydomain.csr -signkey mydomain.key -out mydomain.crt

iv) Put all the above to create a PEM certificate: exit OpenSSL (OpenSSL> q) and go to certificate location and do:

$ sudo cat mydomain.key mydomain.crt >> mylabs.com.pem

mylabs.com.pem is your self-signed certificate. You can use this in requests like https://192.168.0.1 if your server supports https. Remember to check the port number for https(443).

like image 73
Murugan Viswanathan Avatar answered Sep 24 '22 20:09

Murugan Viswanathan
Sign in to Comment

Related questions

Icecast 2 and SSL
How to log SSL handshake in node's https module
Extract requested validity period from a Certificate Signing Request using OpenSSL
How to set up Mercurial with ssl/security
Basic SSL Certificate Questions
Setting up SSL in JBoss AS 7
java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
How I can deactivate the SSL verification?
Could not establish trust relationship for the SSL/TLS secure channel with subject alternative name certificate
Swift 2 - Xcode 7.0 Cannot Access HTTPS site with unstrusted SSL Certificate
Migrate SOAP/REST client from TLS 1.0 to TLS 1.2
problem with wget command SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Why i'm getting WRONG_VERSION_NUMBER when making a POST request to a HTTPS Server?
SSL_CTX_set_cert_verify_callback vs. SSL_CTX_set_verify
Exception at start of request - ClientAuth SSL
Obtaining all certificates in a chain; both intermediate and root
How to set up Apache CXF client to use WebSphere truststore? (Receiving "No trusted certificate found" exception.)
Node.js HTTPS 400 Error - 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
Can a page detect when user has loaded it insecurely
python.failure.Failure OpenSSL.SSL.Error in Scrapy (version 1.0.4)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!