我想我的网站使用url像http://192.0.2.2/…和https://192.0.2.2/..。为静态内容,以避免不必要的cookie请求和避免额外的DNS请求。

有没有办法获得SSL证书?


当前回答

这完全取决于颁发证书的证书颁发机构。

至于让我们加密CA,他们不会在公共IP地址上颁发TLS证书。 https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082

要了解您的证书颁发机构,可以执行以下命令并查找下面标记的条目。

curl -v -u <username>:<password> "https://IPaddress/.."

其他回答

The answer is yes. In short, it is a subject alternative name (SAN) certificate that contains IPs where you would typically see DNS entries. The certificate type is not limited to Public IPs - that restriction is only imposed by a signing authority rather than the technology. I just wanted to clarify that point. I suspect you really just want to get rid of that pesky insecure prompt on your internal websites and devices without the cost and hassle of giving them DNS names then paying for a CA to issue a cert every year or two. You should NOT be trying to convince the world that your IP address is a reputable website and folks should feel comfortable providing their payment information. Now that we have established why no reputable organization wants to issue this type of certificate, lets just do it ourselves with a self signed SAN certificate. Internally I have a trusted certificate that is deployed to all of our hosts, then I sign this type of certificate with it and all devices become trusted. Doing that here is beyond the scope of the question but I think it relevant to the discussion as the question and solution go hand in hand. To be concise, here is how to generate an individual self signed SAN certificate with IP addresses. Expand the IP list to include your entire subnet and use one cert for everything.

#!/bin/bash
#using: OpenSSL 1.1.1c FIPS  28 May 2019 / CentOS Linux release 8.2.2004

C=US ; ST=Confusion ; L=Anywhere ; O=Private\ Subnet ; EMAIL=admin@company.com
BITS=2048
CN=RFC1918
DOM=company.com
SUBJ="/C=$C/ST=$ST/L=$L/O=$O/CN=$CN.$DOM"

openssl genrsa -out ip.key $BITS

SAN='\n[SAN]\nsubjectAltName=IP:192.168.1.0,IP:192.168.1.1,IP:192.168.1.2,IP:192.168.1.3,IP:192.168.1.4,IP:192.168.1.5,IP:192.168.1.6,IP:192.168.1.7,IP:192.168.1.8,IP:192.168.1.9,IP:192.168.1.10'

cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
echo -e "$SAN" >> /tmp/openssl.cnf

openssl req -subj "$SUBJ" -new -x509 -days 10950 \
    -key ip.key -out ip.crt -batch \
    -set_serial 168933982 \
    -config /tmp/openssl.cnf \
    -extensions SAN

openssl x509 -in ip.crt -noout -text

我想答案是肯定的。例如,请检查此链接。

向公网IP地址颁发SSL证书 SSL证书通常颁发给完全限定域名(FQDN),例如“https://www.domain.com”。但是,有些组织需要向公共IP地址颁发SSL证书。此选项允许您在证书签名请求(CSR)中指定一个公共IP地址作为通用名称。然后可以使用颁发的证书直接保护与公共IP地址(例如,https://123.456.78.99.)的连接。

根据这个答案,它是可能的,但很少使用。

至于如何获得它:我倾向于简单地尝试从您选择的提供商订购一个,并在订购过程中输入IP地址而不是域名。

然而,在一个IP地址上运行一个站点以避免DNS查找对我来说听起来像是不必要的微优化。每次访问最多可以节省几毫秒的时间,因为DNS结果缓存在多个级别上。

从优化的角度来看,我认为你的想法没有意义。

C/A浏览器论坛设置了证书中哪些是有效的,哪些是无效的,以及CA应该拒绝哪些。

根据他们的基线要求 为 签发和管理 公共信任证书文档,自2015年起,ca必须不再颁发证书,其中公共名称或公共备用名称字段包含保留IP或内部名称,其中保留IP地址是IANA列出的保留IP(包括所有NAT IP),内部名称是没有在公共DNS上解析的任何名称。

可以使用公共IP地址(并且基线需求文档指定了CA必须执行哪些类型的检查以确保申请人拥有IP)。

是的。Cloudflare将其用于其DNS说明主页:https://1.1.1.1