1

How can a IP address have SSL Certificate with different issud to and not showing SSL error?

https://1.1.1.1/

The above CloudFlare's site is HTTPS enabled and showing https://1.1.1.1/ in address bar. The certificate is issued to cloudflare-dns.com.

Improve this question
2
  • It's kind of a duplicate, but it seems to focus more on policies (i.e. who is allowed to be a cert subject) rather than the technical side (how a certificate actually specifies its subject).
    – grawity_u1686
    Commented Mar 15, 2019 at 14:11
  • 2
    @grawity: It's the same kind of confusion, though, since at the time, I only saw the *.cloudflare-dns.com Common Name in the Google Chrome Certificate Viewer and didn't know that there could be Subject Alternative Names for IP addresses. In the other question, the answers by Michael Frank and by me address this.
    – Deltik
    Commented Mar 15, 2019 at 14:19

1 Answer 1

Reset to default
5

Certificates may have more than one name – X.509 v3 supports an extension called "Subject Alternative Name" or "subjectAltName". This extension contains a list of names, e.g. in this case:

DNS Name=cloudflare-dns.com
DNS Name=*.cloudflare-dns.com
DNS Name=one.one.one.one
IP Address=1.1.1.1
IP Address=1.0.0.1
IP Address=162.159.132.53
IP Address=2606:4700:4700:0000:0000:0000:0000:1111
IP Address=2606:4700:4700:0000:0000:0000:0000:1001
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400
IP Address=162.159.36.1
IP Address=162.159.46.1

In TLS, if this extension contains any DNS names or IP addresses, the certificate is valid for all of those names – and additionally it completely overrides the primary subject "CN" field.

In fact, the major web browsers have decided to require subjectAltName and completely ignore the subject "CN" (although only for commercial WebPKI certificates, not internal ones). It is likely that in the future WebPKI certificates will no longer have a CN field at all.

(One of the reasons for this switchover is that practically all systems support SAN, so the CN is practically never relevant anymore. Another is that subjectAltNames are strongly typed (each item is marked as a DNS domain, or an email address, or an IP address...) whereas the regular subject CN is freeform text and its meaning is system-dependent.)

Improve this answer
2
  • I'm not sure that I'd expect Subject/CN to go away any time soon. It makes for a nice thing to print representing the certificate.
    – bartonjs
    Commented Mar 15, 2019 at 15:06
  • @bartonjs: It won't go away for certificates in general, but it's outright misleading for TLS certificates when SAN is present, so in this situation I wouldn't call it "nice" in any way at all. Browsers can instead be taught to print the SAN list in the same format. (Consider e.g. CDNs with hundred-domain certificates, or OP's situation where the CN isn't actually the visited domain...) CA/B Forum's latest drafts already list it as "deprecated" and "discouraged".
    – grawity_u1686
    Commented Mar 15, 2019 at 15:09

Not the answer you're looking for? Browse other questions tagged .