IP address in SubjectAltName

  • Is it allowed to specify IP as DNS name for SAN certificate ?

  • Is it allowed to specify IP as DNS name for SAN certificate ?

    According to RFC 5280 dNSName is a IA5String which means in theory you could put the string of an IPv4 or IPv6 address as string inside it. And sometimes it is also necessary even though the proper type for IP addresses in SAN is iPAddress since:

    • MSIE and MS Edge tend to ignore iPAddress and expect the value as string in dNSName. Same does Python 2.
    • but Chrome, Safari, Firefox don't expect an IP address as dNSName but need it as iPAddress. Same does Python 3.

    Thus the best compatibility can actually be reached by giving the IP address both as iPAddress and dNSName.

  • Is it allowed to specify IP as DNS name for SAN certificate ?

    First of all, you should realize that there is a specific iPAddress alternative name format, designed to hold dotted quads (IPv4) or 16 octets (IPv6). If you wish to slap an IP address onto your certificate, that's probably the right way to do it. See RFC 5280 section 4.2.1.6. Browser/client compatibility will vary.

    Secondly, yes, it is legal to specify a dotted quad in a dNSName field of the SAN. To quote RFC 5280,

    The name MUST be in the "preferred name syntax", as specified by Section 3.5 of RFC1034 and as modified by Section 2.1 of RFC1123

    The latter suggests that software should be tolerant of finding IP addresses in "host name" fields:

    Whenever a user inputs the identity of an Internet host, it SHOULD be possible to enter either (1) a host domain name or (2) an IP address in dotted-decimal ("#.#.#.#") form. The host SHOULD check the string syntactically for a dotted-decimal number before looking it up in the Domain Name System.

    Again, these are just RFCs, so your mileage will vary by client.

    Please note also that, per RFC 5280:

    Because the subject alternative name is considered to be definitively bound to the public key, all parts of the subject alternative name MUST be verified by the CA.

    So if you submit a request to a public CA with, for example, a private RFC 1918 IP address (10.1.2.3), they should decline to sign that request. And as for CAs validating ownership of an IP address - when the "ownership" of an IP address usually differs from the allocated user - things could get interesting.

  • Yes technically it can go in the Subject Alternative Name (SAN) along with any domain names. The systems in which you use the certificate may or may not correctly make use of the information (application dependent).

    Therefore yes it's legal to do what you want, but it may not work.

    How validation goes for example I want ip of my vps to be in SAN ?

    If you create a X509 certificate with the IP of your VPS in the SAN then that should work. My point was sometimes it may not, for example your VPS might not understand it and/or your browser. This will be application specific.

    @user3448600 - I hope the above was helpful. Let me know if you have any other questions

  • Yes it can be used that way, but it generally only make sense for private Private Key Infrastructure. In that case, you can have a private server that will be used directly with its IP address, so it makes sense to use it in the SAN field.

    But AFAIK is is seldom used (if used at all) for public PKI and public servers.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used