Issue TLS without cname

Question

The person that issues TLS certs is telling me he needs the CName of my server to issue a cert after I just gave him the IP address of the webserver. It's an internal project so we didn't get a domain name yet. Is he correct in that he must have a cname to issue the cert or is the ip I gave him fine?

Joe Sniderman · Answer 1 · 2014-08-22T20:15:59.120

The certificate needs to be issued for a fully qualified domain name (FQDN). You do not need to use a CNAME, and should probably simply create an A record pointing to the IP address in question.

The CA issuing the cert needs to be able to verify ownership of the domain name.

You can easily use a subdomain of your existing domain if you so desire. Just provide the subdomain (eg foo-server.example.com ) as the CommonName for the cert.

There seems to be some confusion, both in your question, and in some of the answers, between CN and CNAME.

CN == short for CommonName. It is part of the DN or DistinguishedName to which the cert is issued.

CNAME == short for Canonical Name. It is a DNS entry that basically makes one FQDN an alias for another FQDN.

CN != CNAME. and DN != FQDN. Hope this helps clarify.

Well spotted, that much of the confusion may be caused by somebody thinking CNAME and CommonName is the same thing. — kasperd, Aug 23 '14 at 08:56

lzam · Answer 2 · 2014-08-24T02:39:13.917

1

When a browser uses an X.509 certificate to verify the identify of a site, it checks the name in the address bar against the names listed on the certificate itself.

You will need the to know whatever name you intend to use to connect to your server with (for example your vhost or hostname) before issuing the certificate if you want users to be able to connect to the server using a name, rather than the IP address. If you plan on using multiple name based vhosts, you will all of the names in the certificate.

edited Aug 24 '14 at 02:39

answered Aug 22 '14 at 20:01

lzam

121
5

More likely than not, the servername **does not** match the vhost name, or whatever else you are using the certificate for. – EEAA Aug 24 '14 at 01:47
@EEAA You are right. I have edited my answer to take name based vhosts into account. – lzam Aug 24 '14 at 02:40

krisFR · Answer 3 · 2014-08-22T20:03:50.080

0

If your intention is to reach your web server using its ip address (e.g http://192.168.1.10) then it's fine.

If you intend to reach the server with its host name (or any other alias) (e.g : http://server) then you have to include host name and aliases (cname), maybe as san, in your request.

edited Aug 22 '14 at 20:03

answered Aug 22 '14 at 19:53

krisFR

13,280
4
36
42

This answer only applies to `http`, and the question was obviously about `https`. – kasperd Aug 23 '14 at 08:54

score 0 · Answer 4 · answered Aug 22 '14 at 19:56

There needs to be some sort of name for the certificate to be released, even if it's test.contoso.net. If this is an internally generated SSL cert, then it's not a big deal to revoke it and make a new one. However, if this is an SSL cert from an external vendor (e.g., Comodo, GoDaddy, Verisign, etc.) then it generally costs money or credits to revoke and create a new cert. Also third parties won't make certificates for domains you don't own.

Issue TLS without cname

4 Answers4