13

I have my application hosted in the cloud and while demoing to prospective clients, I would like to make sure that my browser doesn't complain due to the lack of trust. So I want to generate a self signed certificate that is bound to a IP address.

All of the online resources that I have read only talk about generating the certificate bound to the domain.

acthota
  • 281
  • 1
  • 2
  • 8
  • Your browser will still complain due to a lack of trust with any self-signed certificate. "self signed" mean's that the certificate was not signed by any trusted Certificate Authority, and the browser will not trust it by default. – Stefan Lasiewski Jan 16 '15 at 05:48
  • I have realized that SSL certificate for a public IP address is not that a good idea from the answers to the question mentioned by @MadHatter. I have decided to use SSL cert bound to a domain name and use the hosts file for the resolution for the testing and demo purposes. I have generated a self signed certificate using the command => keytool -genkey -keyalg RSA -alias selfsigned -keystore demo1keystore.jks -storepass ywkeystore@789 -validity 360 -keysize 2048 To add to the trust store read by chrome => http://blog.avirtualhome.com/adding-ssl-certificates-to-google-chrome-linux-ubuntu/ – acthota Jan 16 '15 at 12:33
  • I have experimented with I.P as the CN for understanding how it works but ran into a few issues. Will post the findings shortly. – acthota Jan 16 '15 at 12:38
  • By the way, thanks @MadHatter for linking the other question and for your detailed answer on that question. – acthota Jan 16 '15 at 12:59
  • @MadHatter : Might be a dumb question.. What is difference between - [[generating my own self signed certificate (which would mean I am signing it) and asking the client user to have my self signed certificate (public key part) imported to his trust store]] -----VS-------- [[Creating my own CA, signing a certificate with it and asking the client user to import my CA into the Trusted CA's list]] – acthota Jan 16 '15 at 13:08
  • 3
    I don't understand why someone down votes a question without citing the reason for the down vote. There should be a purpose for down voting..! So that the OP can edit the question OR ask better questions in the future. "Can the real down voter ... Please stand up.. Please stand up...! Server Fault.." – acthota Jan 17 '15 at 03:21
  • 1
    I landed on this page with the same question in mind. And upvoting for the question... – Balaji Birajdar Jun 08 '18 at 14:28
  • "This question already has answers here". The answers on that page do not talk about self-signed at all. – Steve Smith Mar 13 '20 at 11:58

2 Answers2

7

It doesn't matter if your subject is a name or an IP, the way you need to fix the cert being untrusted is the same: trust the self-signed cert on the local system.

If for some reason you need to use an IP instead of a name (hosts file?), then set up a subject alternative name with the IP address, like IP:192.0.2.1.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
3

[Reposting my comment as the answer]

I have realized that SSL certificate for a public IP address is not that a good idea from the answers to the related question (linked to this question) by @MadHatter.

I have decided to use SSL cert bound to a domain name and use the hosts file for the dns resolution for the testing and demo purposes.

I have generated a self signed certificate using the command => 

keytool -genkey -keyalg RSA -alias selfsigned -keystore demo1keystore.jks -storepass mykeystore@789 -validity 360 -keysize 2048

To add to the trust store read by chrome => I have followed the instructions from this link

I have tested all this to understand what works in practice.

Tried with a

  • Self signed certified bound to a domain name and tested SSL connectivity with Chrome and Firefox and a Jetty Server. Things worked fine.
  • Self signed certified bound to a IP ADDRESS and tested SSL connectivity with Chrome and Firefox and a Jetty Server. The Chrome Browser failed to trust the certificate.

If anyone else has a different perspective about this, please reply as a comment. Accepting this as answer.

acthota
  • 281
  • 1
  • 2
  • 8