0

I need to generate a self signed certificate for my application and I want to be able to make it valid if a self generated root certificate have been added to the web browser manually.

The problem is that my application will be accessed by any IP that the client will assign to the server running this application (or maybe a hostname if the client is using a dns)

I tried to use * in CN but it doesn't works.

Extra infos : the application and the server, are very likely not connected to internet, the ip and the hostname (if any) can't be known as this is configured by the client at the end.

iXô
  • 111
  • 5
  • 1
    I may be mistaken, but I don't think that's possible. Instead, consider having your application generate a self-signed certificate using an IP or hostname specified during installation. (Or, depending on what web server software you're using, it could generate one automatically when the client first connects.) – Harry Johnston Aug 03 '18 at 13:26
  • @HarryJohnston You're not mistaken. That's the way it will have to go. – Michael Hampton Aug 03 '18 at 13:32
  • Using something like IP.1 = XXXX IP.2 = XXXX in a openssl.conf file ? Could the root certificate be a fixed one that I build myself and that would not change ? – iXô Aug 03 '18 at 14:08

1 Answers1

0

No, a single certificate cannot be valid for an arbitrary site. This rule applies to self-signed certificates as well as ordinary ones.

Consider the potential consequences if the web browser did allow this: if the user accepted your certificate (because they want to connect to your application) you or anyone else would then be able to use that certificate to impersonate any other site on the planet and your users wouldn't be able to tell the difference.

Your second suggestion of a single self-signed root certificate used to sign the individual certificates dynamically would also result in the same serious security vulnerability. Since the private key for the root certificate would have to be shipped as part of your software, it cannot be considered secure.

(For completeness: there are mitigations such as certificate transparency, and you can configure a browser to accept a particular certificate only for a particular site; that might even be the default, I'm not sure - but I don't think these details significantly change the underlying analysis as they are defence-in-depth measures, not intended to be the only layer of protection.)

Instead, your application should generate a self-signed certificate itself, either at installation time or when the user first connects. This is a common practice for web-based management consoles. You should also give the user the option of providing a correctly signed certificate instead.

If you need assistance implementing this, you should probably ask on Stack Overflow.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
  • Thanks, but the problem is not really the self signed certificate that a user need to add an expcetion. The problem is in fact that there is the application on port X (https) and a websocket on port X+1. The result is that the user need to add an exception for port X then open a new page on the port X+1 to add an other exception. I search a way to work around this problem. – iXô Aug 06 '18 at 13:04