Categories
SecOps

How to define IP address inside multi-domain SSL certificate

Define IP address inside multi-domain SSL certificate.

I will use a self-signed certificate as it is enough to show how it works.

Describe certificate. Use DNS option to define a DNS name and IP option do define an IP address.

$ cat <<EOF | tee certificate.cfg
[ req ]
req_extensions     = req_ext
distinguished_name = req_distinguished_name
prompt             = no
[req_distinguished_name]
commonName=example.org
[req_ext]
subjectAltName   = @alt_names
[alt_names]
DNS.1  = example.org
DNS.2  = *.example.org
IP.1   = 10.0.0.10
IP.2   = 10.0.0.11
EOF

Generate certificate.

$ openssl req -x509 -config certificate.cfg -extensions req_ext -nodes -days 360 -newkey rsa:2048 -sha256 -keyout certificate.key -out certificate.crt
Generating a RSA private key
...................................................+++++
...................................................+++++
writing new private key to 'certificate.key'
-----

Display certificate.

$ openssl x509 -in certificate.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            56:a8:ae:1f:c2:3f:24:51:71:f6:31:f3:62:cb:4f:5c:21:4f:39:60
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = example.org
        Validity
            Not Before: Feb 24 23:11:50 2021 GMT
            Not After : Feb 19 23:11:50 2022 GMT
        Subject: CN = example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d3:f6:81:8b:de:d5:d7:bc:46:e5:8a:65:53:bd:
                    69:8d:84:32:f2:89:56:18:fa:ed:bc:c7:f1:0f:32:
                    cb:d2:5a:4d:7d:08:fb:15:03:17:ba:be:1b:03:5a:
                    5d:bc:6a:db:a9:c2:9c:2d:e6:23:4b:38:cf:1d:c6:
                    8d:dc:f6:d6:74:4c:bc:d1:fd:c9:da:15:5b:26:a4:
                    04:0c:07:58:5c:19:00:f1:e5:04:d2:01:de:c7:7f:
                    da:e1:6b:1a:8d:5a:e9:d0:86:43:e2:83:5b:7d:d8:
                    f8:bf:b6:2b:e4:a5:2a:b8:e1:c4:3a:5c:78:5b:2a:
                    bb:8c:87:8b:43:07:f2:a8:fb:ed:7b:05:9f:ef:85:
                    00:9f:a4:b1:b1:9e:c5:bc:6d:ea:3a:f4:6f:84:a8:
                    f5:fb:1c:1b:93:32:9a:e1:b8:21:bf:8d:2b:dc:69:
                    73:76:dc:85:75:61:ce:d9:b3:97:0e:63:07:e1:cd:
                    1a:1e:b6:9e:cd:e6:5d:d7:88:a3:98:bf:f2:cf:53:
                    ed:e4:46:a1:c9:6a:b5:26:05:66:b8:0b:c1:75:d4:
                    13:e9:97:f9:1d:4a:05:1f:bd:fb:db:21:9f:52:72:
                    31:7b:cb:fe:63:1f:62:93:87:9c:43:77:07:ab:aa:
                    d2:8e:03:44:37:0b:d2:5e:26:11:53:d4:1b:9d:5b:
                    82:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.org, DNS:*.example.org, IP Address:10.0.0.10, IP Address:10.0.0.11
    Signature Algorithm: sha256WithRSAEncryption
         b7:66:a4:2b:27:e6:db:85:08:87:47:9e:8f:85:56:d9:da:7d:
         f0:1d:fe:8e:8f:d3:78:f8:62:17:3f:b3:1f:a1:e2:61:18:a8:
         90:90:90:be:e2:e8:d4:66:a5:bd:83:d3:0f:e8:53:cd:6c:37:
         76:24:94:ce:b2:e1:d9:c1:05:42:80:4e:2b:58:32:40:71:84:
         e3:d9:02:a3:1f:b6:6d:f7:f1:ee:7f:2d:a9:8b:36:da:04:28:
         a5:1c:75:1f:04:db:4d:b2:f1:31:70:28:7f:e7:c0:e7:0d:af:
         6f:29:5c:04:8c:9d:e6:8f:20:67:d9:41:98:f5:4a:f1:a6:6a:
         4d:90:4f:60:13:b5:67:27:0b:0a:e7:5e:65:c2:de:0e:b5:23:
         ae:67:29:57:98:c5:4f:12:00:6a:ce:bb:f7:5c:d4:5b:84:82:
         b5:31:92:8f:d6:17:05:40:db:ec:7e:2d:0e:28:37:6e:57:41:
         40:db:82:37:3e:26:63:d2:a5:72:8a:59:12:1e:cf:18:43:ac:
         c5:e6:c6:b9:11:23:7a:05:bf:5c:8e:a3:de:64:b9:b2:0e:7c:
         36:1c:c4:6f:74:51:2f:ed:b3:20:b4:4e:42:94:29:46:3f:a7:
         e4:73:f9:ab:82:2d:a5:8a:32:37:31:0c:01:3d:e4:50:04:48:
         9f:27:69:21