Why is it important to list an IP address as a DNS name in SAN/UCC certificates?

I have heard that when creating a CSR that if you want to validate an IP address that you should list the IP as a “DNS” name and not “IP Address”. I have actually had to re-create CSR’s like this to fix clients that won’t connect and browser SSL warnings. At first I thought it was something limited to self signed SSL certificates but now I’ve seen this behavior on CA certs. Why do CSR utilities give you the option to list an IP as an IP if this does not work?

Answer

Because verification is up to clients. And some of these didn’t do a good job. So to support these you had to fiddle with the certificates.

MichaelHolm.Info: IP addresses in SubjectAltName in SSL website certificates #fail for some browsers

Leave a Reply

Your email address will not be published. Required fields are marked *