Any way to create OpenSSL certificate request that would be valid for two IP addresses?

0

I have a private app running as a webserver on a machine on an isolated wifi router using 192.168.1.*/255.255.255.0, with no DNS capability & no upstream Internet; basically, only local wireless. The web server will have one of two IP addresses: 192.168.1.x or 192.168.1.y, where x & y are fixed values.

What is the incantation of OpenSSL to create a CSR with two IP addresses, such that a client connecting to the web server on one of the two IP addresses would consider the certificate valid? Is there any way to use subjectAltName= and/or nameConstraints=permitted;IP:192.168.1.???/255.255.255.0?

It seems like bits & pieces are there, but there are so many options & commands in OpenSSL, I can't tell if this possible.

Matthew Adams

Posted 2015-11-03T19:08:39.947

Reputation: 163

Are the clients actually accessing the web server by IP address? Do they use URLs like https://192.168.1.x/...? – David Schwartz – 2015-11-03T19:21:08.060

Yes, by IP address only. – Matthew Adams – 2015-11-04T02:22:45.777

Answers

1

Creating a cert for 192.168.1.* should work. Keep in mind that there are lots of sites that use wildcard certs in the *.mydomain.com form, so I see no reason why this one shouldn't work.

Although you probably know, you'll have to import that self-signed certificate in your browser(s) (respectively ask your users to do so) in order to avoid them asking whether you want to open an insecure site each time you surf there.

nKn

Posted 2015-11-03T19:08:39.947

Reputation: 4 960

Asked: 2015-11-03T19:08:39.947

Viewed: 2 311 times

Active: 2019-07-13T08:02:35.363