0

I want to create a CA for internal use in our office. I created the CA like the following:

openssl genrsa -out rootCA.key 2048
openssl genrsa -out rootCA.key 2048 -des3
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

Next I've imported the CA certificate on my OS X client and marked it as trustworthy and installed the CA cert in Firefox.

openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr

When filling the CA information I set the following: Common Name (eg, YOUR name) []: 192.168.6.78

openssl x509 -req -in device.csr -CA root.pem -CAkey root.key -CAcreateserial -out device.crt -days 500

After that's done I've copied the cert and key file over to the Web server, installed it in nginx and tried to access the site with Chrome, Firefox and Safari

The result is that it's working fine in Chrome and Firefox, but not in Safari. Although Safari is shown the CA as trusted, it displays an error for the Web server certificate itself. The error message is "Safari can't verify the identity of 192.168.6.78" and offers me to add an exception "Always trust 192.168.6.78 when connection to 192.168.6.78".

Did anyone run in that before and might know how to fix it? Maybe Safari just doesn't support SSL certs for IP addr.?

Thanks

Paul
  • 21
  • 2
  • 7
  • 2
    You shouldn't issue certificates with IP addresses as the CN. Is there a reason you're not using the DNS name? – MDMarra Dec 25 '13 at 02:58
  • @MDMarra Yeah, we don't have a DNS server in the office yet, that's why we currently using the IP addresses to access things – Paul Dec 25 '13 at 03:25
  • 1
    using the hosts files locally is better as a short term measure than putting the ip into the certificate. look towards getting dns up asap, as this'll bite you in the butt. – Sirex Dec 25 '13 at 04:11
  • @Sirex thanks for the tip. Working on getting dnsmasq running now – Paul Dec 25 '13 at 05:57

0 Answers0