3

A self-signed certificate works well while the command used to generate it on a ubuntu machine is: 

openssl req -x509 -newkey rsa:4096 -keyout private.key -out cert.crt -days 365 -nodes

If the client side uses an IP address instead of the domain name, it would fail.

To make the IP address working, following the instructions from this previous question and answer about failed handshake due to not containing any IP SANs, the /etc/ssl/openssl.cnf is modified to have the subjectAltName = IP:192.168.2.107 added to the [v3_ca] section.

This change makes the IP address work well, however the domain name does not work anymore. The error message is: 

x509: certificate is not valid for any names, but wanted to match yoursubdomain.yourdomain.com

Another source about SANs basically is suggesting the same without a clear hint how to make both IP address and DNS work at the same time.

How to have both IP address and domain name work together?

minghua
  • 171
  • 1
  • 1
  • 8
  • 1
    add the DNS names like in the answer [here - https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl](https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl) – Zina Nov 10 '18 at 23:26
  • 1
    So: [1] instead of `subjectAltName=192.168.2.107`, change to `subjectAltName = @alternate_names`. [2] add a section `[ alternate_names ]`. [3] list IP address below it as `IP.1 = 192.168.2.207`, and DNS as `DNS.1 = subdomain.domain.com`. will give that a try. do you want put that into an answer? – minghua Nov 12 '18 at 03:56
  • 1
    were you able to get the cert as wanted? I can recommend XCA a cross platform certificate manager if you want to play with certificates. – Zina Nov 13 '18 at 18:35
  • Nice! https://github.com/chris2511/xca/ and https://sourceforge.net/projects/xca/ – minghua Nov 16 '18 at 15:16
  • 1
    Maybe also multiple subjects in one line like `subjectAltName_default = DNS:myhost.com.au,IP:127.0.0.1,EMAIL:my@here.org` as suggested by https://serverfault.com/questions/455525/openssl-how-to-generate-a-csr-with-interactively-solicited-subject-alternative – minghua Nov 16 '18 at 15:23

0 Answers0