1

I have created my own CA for internal usage and set the root certificate to trustworthy on my machines. With this CA I signed the SSL-certificates for my internal servers. I only address them with their IP and so I used the servers' IP as certificate name. If i connect to the Servers with Chrome or mobile Safari it works without problems, but if I use Safari 7 under Mavericks (on the same machine with the same keychain) i get the following error: "The certificate is not valid (host name mismatch)". I double checked that I entered the correct IP ("https://192.168.2.130"), but I always get the same error. Do I need to enter a different name for the certificate or is it just that Safari doesn't support SSL certificates for IPs? Here is a screenshot of the error message (I can only post images with at least 10 rep): Safari's error message

Thanks in advantage and please excuse my bad English :D

K. Biermann
  • 147
  • 5

1 Answers1

2

If you want to issue a certificate for a host and have it work when it's contacted via its IP address, you have to set the subject name to its hostname (really, whatever you want, though it's strongly recommended that it be a DNS name you control and which actually references that server), and create a SAN (subjectAltName) for each IP address you want it valid for. You only have to do this if you care whether using the IP instead of the DNS name in the URI validates or not.

The SAN also has to be specially formatted, with the IP: prefix, for example IP:192.0.2.5.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92