1

I have an SCADA app running on Windows 10, and the app has has it's own website configured. It has security certificate for the local IP issued. And everything is fine up to this point.

But to access the site from somewhere else we are port forwarding requests from our outer IP to the local address so now the IP doesn't match the one in certificate and it is not working. What would be the right workaround in these situations, I can't get my head around this problem. I can issue certificate to the outer ip, but then local network certificates are not working.

Improve this question

1 Answer 1

Reset to default
1

You can issue a single certificate for multiple names or addresses – just list all of them1 in the "Subject Alternative Name" field (aka subjectAltName or SAN). This is supported by all CAs nowadays, and doesn't require any special support from the web server.

I would also create a DNS entry for your web app, so that you could access it using a domain name. If your network uses DNS "views", then you could easily have the same domain name resolve to either the public address from outside, or the internal address from inside – the certificate would only need a single name, and you would only need to bookmark a single URL.

Finally, it sounds like a bad idea to allow any sort external access to your web app through port-forwarding at all. (Honestly, it sounds like a prime target for unwanted guests.) Avoiding port-forwarding and using a corporate VPN to reach the webapp remotely might be more secure and would avoid the issue of two different addresses, as you would always be accessing the internal address only.

1 Beware of several common mistakes when dealing with subjectAltName, especially if your CA runs on hand-rolled openssl scripts...

  • The SAN field must include even the name that you've already put in the "CN=" field. (The two fields aren't combined automatically – when the certificate has a SAN list, browsers will just ignore the CN= attribute entirely.)

  • The SAN field has a distinction between DNS names and IP addresses – make sure your CA sets the correct type for each of the values. If you're using OpenSSL, use IP:1.2.3.4 instead of DNS:1.2.3.4.

Improve this answer
5
  • As for the port forwarding, I oversimplified a bit but this time our router is actually within other network. So there won't be direct access from internet. But people who are within the network in which our router is will be forwarded to the site app. And our router connects to our office with VPN connection, so we can access site from our office.
    – jnegle
    Commented Dec 21, 2020 at 18:43
  • I hope it makes sense
    – jnegle
    Commented Dec 21, 2020 at 18:43
  • With the soft we use for this project we create Root certificate and then issue the Host certificate. And for Host certificate there is no option for SAN. But you made me think and I resolved the issue by creating Host certificate with just computer name -> then by editing windows "hosts" file people can associate the Computer Name to the IP they need to connect to. It sounds something like the DNS entry you mentioned, but probably is not entirely the same. Thumbs up, great info
    – jnegle
    Commented Dec 21, 2020 at 18:51
  • It makes sense, although, your CA software not supporting subjectAltName sounds like it's old and unmaintained (SAN is very widely used on the Internet). Tbh, having to use port-forwarding internally to a network sounds like a bit of a mess, as well.
    – grawity_u1686
    Commented Dec 21, 2020 at 18:52
  • (Though there is always the possibility that it supports SAN and just doesn't call it that way – it might be called simply "multi-domain" or something like that.)
    – grawity_u1686
    Commented Dec 21, 2020 at 18:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .