Self Signed SSL/TLS Certificate with IP Address
Create a self signed certificate using only an IP address, not a hostname or domain name.
I am working on setting up a Kubernetes cluster using Rancher on a set of VirtualBox VMs managed by Vagrant to run applications in Docker containers. Woah — that’s a mouthful! While this is one somewhat complicated case, there are lots of other reasons you may want to create a self-signed certificate. Obviously, you never want to run with a self-signed cert in production, but you can use them to run and test Apache web servers, Nginx, Express.js servers, and many more.
So how do I create a self signed certificate for an IP Address?
- Create a certificate request configuration file that uses a Subject Alternate Name.
- Use OpenSSL
reqcommand to gerenate the certificate.
- Verify the certificate content
- Install the certificate to your server (Apache, Express, private Docker registry, etc...)
One of the fun things I need to do for my current project is to set up the private Docker registry on one VM node that all the other VM nodes can pull images from. I am setting up a test environment, so I could configure it as an insecure Docker registry, however, since I will need to set up the registry in production with a real cert at some point, I decided to get the registry working using a self-signed cert instead. To do this we will use openssl.
There are other methods to achiveve this; this is only one method. To get the self signed cert to work with just an IP (not a domain name), we will specify a subject alternative name (SAN) for the IP.
- Create a request configuration file as follows (this is just a plain text file — and you can name it whatever you like):
[req] default_bits = 4096 default_md = sha256 distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = 192.168.13.10 [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = 192.168.13.10
The two key things you need to be concerned about are the CN field and the alt_names section at the bottom.
The CN field needs to be the IP address of the server, in my case the VM running the private Docker registry. The alt_names section must have an entry with the IP address.
- Generate the certificate and private key using the config file you created above:
openssl req -new -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config <path/to/req/file/from/above>
- Verify the certificate has an IP SAN by running the following command:
openssl x509 -in domain.crt -noout -text
This will output the contents of the cert for you to inspect. While there is a lot there, you are looking for a couple lines like this:
X509v3 Subject Alternative Name: IP Address:192.168.13.10
Now you can install the self-signed cert into the application/server you are trying to run. For me, this is the Docker registry, but could be an Apache web server, a Node Express.js server, etc.
Let me know in the comments how this worked for you!