0

I'm new to setting up ssl certificate and csr, i want to use public ip instead domain name in ssl. i created a csr file using following command and info

openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Generating a 2048 bit RSA private key
.....................+++
...........................................+++
writing new private key to 'mydomain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Delhi
Locality Name (eg, city) []:Delhi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyComp ITES pvt ltd
Organizational Unit Name (eg, section) []:chatapp
Common Name (e.g. server FQDN or YOUR name) []:123.123.123.12(Elastic IP)
Email Address []:amitdubey@gmail.com        

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

this command generating two file

1.mydomain.key

2.mydomain.csr

i copy all the text from mydomain.csr and paste into godaddy Certificate Signing Request (CSR) but it giving me error 

Public IP addresses are not allowed.

can any one help me whats wrong with me and how can fix this error.

Gabber
  • 179
  • 1
  • 2
  • 9

3 Answers3

3

The other answers all seem to be correct but they may be missing the point. It seems to me that the real answer is don't do that.

I can't imagine a use case that requires you to secure an arbitrary IP address; it seems like a bad idea for all the good reasons mentioned in the other answers. You lose the flexibility of decoupling the name from the IP address that DNS is designed for in the first place.

You should just register a certificate to an arbitrary subdomain you own and completely bypass this problem rather than go against the grain and try to hack around the problem.

ianjs
  • 411
  • 2
  • 6
2

You cannot generally get SSL certificates issued with an IP address as a subject name.

Firstly, you have no basis with which to get such a certificate issued unless the IP block is delegated to you (from an RIR, for example). This means that unless you are listed and named in the whois information for that IP block, you will not get a certificate.

Secondly, not all certificate authorities will do this even in that case.

Your elastic IP is a little like a subdomain in this sense. It's available for your use, and associated with you in the context of your provider, but as far as ICANN and its descendants are concerned it isn't yours.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Falcon can i use aws public dns (ec2-12-235-236-239.ap-southeast-1.compute.amazonaws.com) – Gabber Jun 18 '14 at 10:23
  • Are you sure about this? I had providers offer this, it's not EV of course. – faker Jun 18 '14 at 10:54
  • Some do, but the general policy is to not do it unless the block is delegated to you. Here is an example: https://support.globalsign.com/customer/portal/articles/1216536. Wouldn't it be messy if this were allowed, and someone got a bunch of them and released the EIPs? – Falcon Momot Jun 18 '14 at 22:00
  • 1
    Also, @AmitDubey, no, nobody will issue you that, since amazonaws.com doesn't belong to you. – Falcon Momot Jun 18 '14 at 22:01
1

The Common Name must be the FQDN of the domain you want to request the certificate for.
E.g. www.example.com

It cannot be an IP address.

faker
  • 17,326
  • 2
  • 60
  • 69