3

From what I've read and researched (here, other places) I'm almost certain what I'm asking will not be possible but any alternative suggestions are welcome.

I have a server with a Public IP address and no domain name. I've got a valid SSL cert on it but Public IP address based SSL certs are being done away with by CAs by November 2015.

I'm setting up a new FQDN domain for the server and getting an SSL cert for it, that's not an issue.

So, I will need to redirect all the current links of https://123.456.78.99/ to https://www.example.com/ and this is where the problem lies.

While the certificate is still valid, the redirect won't be an issue but once the Public IP address expires I won't be able to renew it and the Public IP address https links will always give a warning about the expired certificate.

Most of the questions about this type of redirect all say just renew the certificate for the original domain but since my server SSL cert is just for the public IP address I cannot renew the SSL certificate.

If it matters, I'm using Apache 2.4

Any thoughts?

HBruijn
  • 72,524
  • 21
  • 127
  • 192
PadraigD
  • 141
  • 1
  • 8
  • unfortunately, you are out of luck. HTTP**S** means SSL and client will always attempt SSL handshake and server certificate validation. And will claim (via warnings, message boxes, etc.) if there is something wrong with the certificate. – Crypt32 Sep 04 '15 at 16:40
  • 3
    Do you have a link to documentation saying this cert type cannot be renewed? The answer of course is that you probably should have phased out your public IP cert and redirected the day that document was released instead of waiting until the last minute. Unfortunately, I don't have any good suggestions for you other than to get the new cert in place and transitioned as fast as possible. BTW I am asking for docs, because Globalsign seems to still be offering these. https://support.globalsign.com/customer/portal/articles/1216536-securing-a-public-ip-address---ssl-certificates – Zoredache Sep 04 '15 at 16:41
  • 2
    The only thing that I can see docs for being blocked is for `reserved IP addresses` (eg 10/8, 172.16/12, etc). https://www.digicert.com/internal-names.htm Which shouldn't apply to you, if you actually have a valid non-reserved IP in you cert. – Zoredache Sep 04 '15 at 16:46
  • 4
    I thought that [Globalsign](https://support.globalsign.com/customer/portal/articles/1216536) was one of the few issuers of widely accepted certificates for IP-addresses and [this link](https://support.globalsign.com/customer/portal/articles/1467819) has no indication they will stop doing so for public ip-addresses. – HBruijn Sep 04 '15 at 16:46
  • We use GeoTrust and they seem to have a way to continue using the Public IP address as the CN for the cert. Reading the specs it doesn't mention not allowing issuing of certs for public ip addresses but some CAs I looked at said they would not be issuing certs for public ips and this was becoming industry standard. We've requested the renewal and hopefully this will sort out the issue. Thanks for the help. – PadraigD Sep 07 '15 at 10:59

1 Answers1

1

GeoTrust allows renewal of Public IP address SSL certs. There were some issues at the start with them but it has been fixed on their side. So, now the Public IP certificate is valid and I can do the redirect the https calls to the Public IP address to the new https FQDN address.

PadraigD
  • 141
  • 1
  • 8
  • Thanks for coming back and noting how this worked out - +1 from me. Don't forget to use this year's grace to migrate the business away from IP-address-based https: URLs. Start today. – MadHatter Sep 08 '15 at 09:00
  • Yes, I will do the redirect and show/email a message to users stating to use the new address. Thanks. – PadraigD Sep 08 '15 at 09:02
  • I'm curious to see if this works with modern browsers. MS and Google both use SNI based encryption. – Jim B Sep 08 '15 at 09:30
  • @JimB I'm not sure what you mean by that. Are you asking if the IP based certificate is valid or something else? All the latest versions of the main browsers, and also the beta versions that I use, have no issues with this cert. – PadraigD Oct 05 '15 at 21:53
  • IP based certs should fail validation since there is no server name (should result in a handshake error), I know that .local will also be blocked(next year) and I wasn't sure if they made SNI mandatory yet in the newest browsers. I'm glad its still working for you. – Jim B Oct 06 '15 at 12:20