-1

I have used self signed certificate in ubuntu lampp server. I have used SSL with the IP address like https://111.11.11.111/

I have created the crt and key file using this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/lampp/et/ssl.key/server/key -out /opt/lampp/etc/sssl.crt/server.cr

I got this:

Your connection is not secure

The owner of 11.11.11.111 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

VVish
  • 251
  • 4
  • 11
Bhargav Parekh
  • 1
  • 3
  • HTTPS world does not work really with certificates containing IP addresses instead of hostnames, or IPs in URLs as hostnames. You can generate such certificates and they do exist in other areas, but clearly they are not fit for HTTPS (and you do not describe sufficiently how you create the certificate, specifically the SAN part). So whatever you are attempting to solve doing things that way, it is not the right way. You should backtrack and start explaining your real problem before coming to the conclusion that you need an https URL with an IP address instead of an hostname. – Patrick Mevzek Apr 24 '19 at 22:59
  • I have followed these steps https://www.akadia.com/services/ssh_test_certificate.html to generate the Self Signed.
    Country Name (2 letter code) [GB]:DN State or Province Name (full name) [Berkshire]:Berlin Locality Name (eg, city) [Newbury]:Berlin Organization Name (eg, company) [My Company Ltd]:Apache Friends Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:11.11.11.111 Email Address []:you@example.com
     – Bhargav Parekh Apr 25 '19 at 06:11
  • @PatrickMevzek: support for IPaddr has been inconsistent over the years, but (my) IE11 and Firefox60esr do support it in CommonName, and Chrome76 does support it in SAN (Chrome has not supported _anything_ in CommonName for about 2 years). Bhargav: `req -x509` creates a **self-signed cert** and _all_ self-signed certs (IPaddr or other) only work if you import them manually to the browser's cert store. I bet you didn't, and if you click(ed) 'Advanced' you would see "The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER" – dave_thompson_085 Aug 03 '19 at 10:25

1 Answers1

0

What you've done is to create a key pair. This pair is actually two files. First file, the smaller one is the public key. The second file, the bigger one, is the private key.

You can use this key pair to connect to your server via ssh. You've generated the key pair so you can trust it (as long as you keep the private part secure and not share it on public places). This is done so you can ssh into your server more securely than using a password. This is done by placing the public part of the key on the server and keeping the private part on your computer (client).

Given that you generated the key pair you can trust it, but you cannot expect anyone else to trust it - so you cannot use it to provide https for your domain.

If enabling https for your domain is what you're trying to achieve (as it seems), you have to go through a Certificate Authority (CA). They give you a test (setting a DNS record / placing a file on your domain / receiving an email) before they generate the certificate for you. CAs are highly regulated and have strict operating conditions, so we take it as granted that they can be trusted by everyone.

There are paid CAs or free ones - like letsencrypt.org.

Also, keep in mind that you cannot use https for IP addresses. Not without using some special config on your local device, but anyone else wouldn't be able to access your server via https://IP.

Sorin Buturugeanu
  • 1,782
  • 4
  • 19
  • 32
  • SSH and SSL-now-TLS are entirely different. SSH does use bare public keys, always for server and often for client also. TLS uses, and `openssl req -x509` generates, an X.509 certificate, which is quite different. You can create your own cert without a CA -- other people won't trust it at least by default, but you can still use it yourself or for testing. And you _can_ use IPaddr (see my comment on Q) although if you use a _private_ IPaddr (like 192.168.0.0/16) people outside your network can't reach it -- that's unrelated to TLS. – dave_thompson_085 Aug 03 '19 at 10:28
  • @dave_thompson_085 OpenSSH can use X.509 certificates too, not only just bare keys. – Patrick Mevzek Aug 03 '19 at 15:45
  • @PatrickMevzek: not upstream; it has its own kind of certs that aren't remotely X.509 -- and aren't interoperable. But since OpenSSH is so dominant, I'll agree to 'almost always'. – dave_thompson_085 Aug 04 '19 at 08:39