30.4.2.4. Using IP Addresses in Certificate Subject Names
Using an IP address in the
ldap_uri
option instead of the server name may cause the TLS/SSL connection to fail. TLS/SSL certificates contain the server name, not the IP address. However, the subject alternative name field in the certificate can be used to include the IP address of the server, which allows a successful secure connection using an IP address.
- Convert an existing certificate into a certificate request. The signing key (
-signkey
) is the key of the issuer of whatever CA originally issued the certificate. If this is done by an external CA, it requires a separate PEM file; if the certificate is self-signed, then this is the certificate itself. For example:openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem
With a self-signed certificate:openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
- Edit the
/etc/pki/tls/openssl.cnf
configuration file to include the server's IP address under the[ v3_ca ]
section:subjectAltName = IP:10.0.0.10
- Use the generated certificate request to generate a new self-signed certificate with the specified IP address:
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
The-extensions
option sets which extensions to use with the certificate. For this, it should be v3_ca to load the appropriate section. - Copy the private key block from the
old_cert.pem
file into thenew_cert.pem
file to keep all relevant information in one file.
When creating a certificate through the certutil utility provided by the nss-tools package, note that certutil supports DNS subject alternative names for certificate creation only.