How can a IP address have SSL Certificate with different issud to and not showing SSL error?
The above CloudFlare's site is HTTPS enabled and showing https://1.1.1.1/ in address bar. The certificate is issued to cloudflare-dns.com.
How can a IP address have SSL Certificate with different issud to and not showing SSL error?
The above CloudFlare's site is HTTPS enabled and showing https://1.1.1.1/ in address bar. The certificate is issued to cloudflare-dns.com.
Certificates may have more than one name – X.509 v3 supports an extension called "Subject Alternative Name" or "subjectAltName". This extension contains a list of names, e.g. in this case:
DNS Name=cloudflare-dns.com
DNS Name=*.cloudflare-dns.com
DNS Name=one.one.one.one
IP Address=1.1.1.1
IP Address=1.0.0.1
IP Address=162.159.132.53
IP Address=2606:4700:4700:0000:0000:0000:0000:1111
IP Address=2606:4700:4700:0000:0000:0000:0000:1001
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400
IP Address=162.159.36.1
IP Address=162.159.46.1
In TLS, if this extension contains any DNS names or IP addresses, the certificate is valid for all of those names – and additionally it completely overrides the primary subject "CN" field.
In fact, the major web browsers have decided to require subjectAltName and completely ignore the subject "CN" (although only for commercial WebPKI certificates, not internal ones). It is likely that in the future WebPKI certificates will no longer have a CN field at all.
(One of the reasons for this switchover is that practically all systems support SAN, so the CN is practically never relevant anymore. Another is that subjectAltNames are strongly typed (each item is marked as a DNS domain, or an email address, or an IP address...) whereas the regular subject CN is freeform text and its meaning is system-dependent.)
*.cloudflare-dns.com
Common Name in the Google Chrome Certificate Viewer and didn't know that there could be Subject Alternative Names for IP addresses. In the other question, the answers by Michael Frank and by me address this.