By Evgenyt


2010-01-11 17:37:08 8 Comments

I want my site to use URLs like http://192.0.2.2/... and https://192.0.2.2/... for static content to avoid unnecessary cookies in request AND avoid additional DNS request.

Is there any way to obtain SSL cert for this purpose?

5 comments

@Chris Becke 2019-02-11 13:04:40

The C/A Browser forum sets what is and is not valid in a certificate, and what CA's should reject.

According to their Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates document, CAs must, since 2015, not issue certificats where the common name, or common alternate names fields contains a reserved IP or internal name, where reserved IP addresses are IPs that IANA has listed as reserved - which includes all NAT IPs - and internal names are any names that don't resolve on the public DNS.

Public IP addresses CAN be used (and the baseline requirements doc specifies what kinds of checks a CA must perform to ensure the applicant owns the IP).

@mehulmpt 2018-08-24 13:19:25

Yep. Cloudflare uses it for its DNS instructions homepage: https://1.1.1.1

@bitinerant 2019-02-15 18:46:43

This isn't quite what it seems. If you inspect the cert, the Common Name field is cloudflare-dns.com and 1.1.1.1 is only listed under Certificate Subject Alt Name.

@regdoug 2016-05-06 03:13:58

The short answer is yes, as long as it is a public IP address.

Issuance of certificates to reserved IP addresses is not allowed, and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016.

According to the CA Browser forum, there may be compatibility issues with certificates for IP addresses unless the IP address is in both the commonName and subjectAltName fields. This is due to legacy SSL implementations which are not aligned with RFC 5280, notably, Windows OS prior to Windows 10.


Sources:

  1. Guidance on IP Addresses In Certificates CA Browser Forum
  2. Baseline Requirements 1.4.1 CA Browser Forum
  3. The (soon to be) not-so Common Name unmitigatedrisk.com
  4. RFC 5280 IETF

Note: an earlier version of this answer stated that all IP address certificates would be revoked on 1 October 2016. Thanks to Navin for pointing out the error.

@Navin 2016-10-21 18:10:34

Not true, globalsign still issues certs for IPs. The Certificate Authority/Browser Forum doesn't like seeing private IPs in certs but has nothing against public IPs.

@regdoug 2016-12-17 23:44:38

It looks like my info may be out of date. I'll look into it more and then edit it if you are correct.

@Klaus Byskov Pedersen 2010-01-11 17:42:50

The answer I guess, is yes. Check this link for instance.

Issuing an SSL Certificate to a Public IP Address

An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.domain.com". However, some organizations need an SSL certificate issued to a public IP address. This option allows you to specify a public IP address as the Common Name in your Certificate Signing Request (CSR). The issued certificate can then be used to secure connections directly with the public IP address (e.g., https://123.456.78.99.).

@Mr Bonjour 2016-03-03 08:18:43

Does it work too with static private IP? Like for a LAN?

@Pekka 웃 2010-01-11 17:41:19

According to this answer, it is possible, but rarely used.

As for how to get it: I would tend to simply try and order one with the provider of your choice, and enter the IP address instead of a domain during the ordering process.

However, running a site on an IP address to avoid the DNS lookup sounds awfully like unnecessary micro-optimization to me. You will save a few milliseconds at best, and that is per visit, as DNS results are cached on multiple levels.

I don't think your idea makes sense from an optimization viewpoint.

@Evgenyt 2010-01-11 18:07:37

AFAIK, 1 time per minute (Firefox DNS cache) and 1 time per 30 minutes for IE. This differs from TTL of DNS records. Also it takes about 20ms for me, depending on domain and how fast are NS servers (which are also to be resolved first :) ) I also want to avoid my lengthy cookies (my auth + Google Analytics cookies) for each static request. So using IP instead of purchasing separate domain is good. BTW, stackoverflow, basecamphq use separate domain for static content. Using IP instead will remove unnecessary DNS request(s) also.

@Pekka 웃 2010-01-11 18:10:22

I absolutely see your point with the cookies, you're totally right. But to switch to a SSL IP to save the few ms of DNS lookup sounds more hassle to me than it's worth. Plus, you may have issues taking your IP with you if you ever have to change your provider - it's probably not possible. Moving a domain is much easier, and it should be possible to move a certificate with it halfway easily.

@Evgenyt 2010-01-11 18:36:48

Google's Page Speed tool always suggests to "Serve the following JavaScript resources from the same host as the main document (xxxx.com), or defer loading of these resources if possible". I'm not rating Page Speed tool as bible, but anyway that means DNS optimization was not invented by me. I'm just trying to make my Page Speed checklist green where possible.

@vdstw 2011-12-18 16:58:30

@Evgenyt: I don't think that's because of the DNS lookup, which as stated is cached on so many levels that it can't be a performance issue. More likely it is to enable browsers to pipeline their requests. Keeping the connection to the host open, thus avoiding the setup of additional connections.

@Pacerier 2014-10-10 15:37:15

@Pekka웃, Does HTTPS for IP work for the major "world-recognized" CAs or do you mean that they only work for "self" CAs?

@Dan Pritts 2014-11-20 16:12:32

Running into a situation where this is required. VMware view remote virtual desktops. user logs into "broker", which assigns a windows VM by ip address. User's remote desktop client is started up and told to connect to a particular IP. (in some cases, PCoIP instead of remote desktop, but remote desktop is definitely possible and i guess in some cases desirable.)

@ENargit 2015-01-21 12:51:13

I agree with the answer. Also, we found an issue with such configuration. Turned out, Chrome browser (39.0.2171.93) on Android OS (4.4,5.0; works on 4.0,4 ) doesn't play audio files via HTTPS if IP address is used as certificate target. We used to use such configuration for our test environment, but will start using domain names.

@Mariy 2016-10-03 16:30:44

It seems that you won't create IP SSL certificates anymore: uk.godaddy.com/help/…

@Rajendra 2018-01-19 06:55:28

What if I need SSL for my IOT hardware server which mostly used locally in same network and it has got domain myiot.local. Is it possible in this case to create SSL without warning.

@Attila Szeremi 2018-04-03 01:13:03

I came here because of 1.1.1.1 :D

@Timo 2018-04-05 15:08:24

Another issue arises when the ip changes. Which happens once a month or so with an isp.

@Chris Becke 2019-02-11 12:50:20

"Internal Name" and private IP certificates were deprecated in October 2016 according to the CA Browser Forum.

Related Questions

Sponsored Content

13 Answered Questions

[SOLVED] Are HTTPS URLs encrypted?

13 Answered Questions

[SOLVED] receiving error: 'Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN' while using npm

1 Answered Questions

3 Answered Questions

[SOLVED] Where could I buy a valid SSL certificate?

  • 2011-12-06 18:30:54
  • Trent
  • 112587 View
  • 249 Score
  • 3 Answer
  • Tags:   ssl-certificate

8 Answered Questions

[SOLVED] Are HTTPS headers encrypted?

5 Answered Questions

[SOLVED] How to assign a SSL Certificate to IIS7 Site from Command Prompt

0 Answered Questions

SSL certificate domain to server issue

1 Answered Questions

Need the default SSL certificate validation in iOS app

1 Answered Questions

[SOLVED] Multi-domain SSL Certificate and Windows Azure

2 Answered Questions

[SOLVED] iPhone SSL Website Certificate Warning

Sponsored Content