4

Is there a way to create a (self-signed) certificate that will cover all localhost IPs such as the full range for 127?

I tried both 127.* and 127.*.*.* but neither worked; I still got SSL error pages warning me that the the page (e.g., 127.2.3.4) did not match the certificate and/or was not a trusted root, despite the fact that I had made sure to close the browser, remove the old one, and install the new one each time.

There’s some webpages that show how to use wildcards in subdomains, but not IPs.

Synetech
  • 948
  • 1
  • 12
  • 27

1 Answers1

5

I assume that you are attempting to add the wildcard IP addresses as a Subject Alternate Name and not as the Subject (which doesn't allow IP addresses at all).

RFC5280 Section 4.2.1.6 states:

For IP version 4, as specified in [RFC791], the octet string MUST contain exactly four octets

which rules out wildcard certs.

Wildcards are only valid in names.

Community
  • 1
garethTheRed
  • 4,539
  • 14
  • 22
  • And even then, really only valid for CNs (Common Names), not necessarily for SANs (Subject Alternative Names). Given that an X509v3 cert can contain multiple SANs, there's no reason you couldn't generate a cert which contains an `iPAddress` SAN for each of the IP addresses you want to whitelist. AFAIK, there's no limit on the number of SANs in a cert. – Castaglia Apr 14 '16 at 23:04
  • SAN is 4.2.1.6 not 4. @Castaglia: 2818 describes dNSName(s) and *then* says "Names may contain the wildcard character ...." which (I believe) implies wildcard does apply to dNSName(s). I see many hosts using wildcard dNSName (easy example: google) and all browsers I use accept them. Also, a *TLS* cert chain must fit in 2^24-4 octets, so allowing for other certs and other parts of this cert SAN would be limited to about 2.8m IPv4 or 930k IPv6; whether clients actually handle this is another question. – dave_thompson_085 Apr 17 '16 at 04:27
  • @dave_thompson_085 - Thank you; I fixed it. – garethTheRed Apr 17 '16 at 07:15
  • @dave_thompson_085 [RFC 6125, Section 6.4.3](https://tools.ietf.org/html/rfc6125#section-6.4.3) indicates that clients _MAY_ choose to honor wildcards in names. And [this post](http://stackoverflow.com/a/21496451/4072843) argues that even CAs are split on this point. – Castaglia Apr 17 '16 at 16:15
  • @Castaglia 6125 doesn't apply to HTTPS, see 1.4. The Thawte blog link in that answer is dead, but Thawte does charge a lot (some would say gouge) for wildcard and I'd bet *they* don't mix because it doesn't fit their pricing model -- that doesn't mean it doesn't work. On a quick check, yahoo facebook adobe and wikipedia as well as google all have wildcard in SAN, and (from my location) serverfault superuser stackoverflow stackexchange are all actually on cloudflare with wildcard in SAN; I presume these organizations don't think they're turning away many users. – dave_thompson_085 Apr 19 '16 at 05:10
  • @dave_thompson_085 thanks for correcting my misunderstanding. Much appreciated! – Castaglia Apr 19 '16 at 06:15
  • So I have to manually add every IP I might use to the cert? – Synetech Apr 20 '16 at 01:39
  • Or start using domain names instead of IP addresses, so that you can use wildcard certs. – garethTheRed Apr 20 '16 at 06:24
  • @garethTheRed, who buys domain names to do local tests? I suppose I *might* if I were a rich corporation, but even then… – Synetech Apr 22 '16 at 21:26
  • The RFC says it must contain 4 octets (for IPv4), but it doesn’t say they must be numbers. It seems like something like `127.0.0.*` should work. Maybe someday they'll release an update that clarifies the wording and/or allows for wildcards in IPs. – Synetech Apr 22 '16 at 21:30
  • Your question is about addresses from the `127.0.0.0/8` network. Make up your own names, or use the reserved `example.org` domain. Then, create your own CA and issue a wildcard cert to `*.example.org`. – garethTheRed Apr 23 '16 at 07:12
  • An _octet_ is 8-bits from the 32-bit IP address: 0 to 255. There is no way to signify a wildcard with those 8-bits. – garethTheRed Apr 23 '16 at 07:15
  • Maybe they’ll add support for wildcard IPs some day (though I’ll probably bet money on more likely investments first). In the meantime I’ll either make a name like you suggested or just add some IPs as I need them. Thanks. – Synetech Apr 29 '16 at 00:42