You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2024-12-05 21:39:04
- ulrichd
- Member
- Registered: 2018-07-30
- Posts: 19
X509 SAN with IP addresses
I'm evaluating whether I can use mORMot2 to generate a certificate on start up of a server. One requirement I have is to issue the certificate not only for the host name(s) but also for the IP addresses of the PC the server runs on. So far we've done this by passing a config to openssl with the following contents:
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = xyz
DNS.2 = localhost
IP.1 = ::1
IP.2 = 127.0.0.1
IP.3 = 10.0.0.10With CryptCert[caaRS256].Generate I've only been able to generate certificates with DNS entries as Subject Alternative Name.
Is there a way to get IP addresses included as well?
Offline
#2 2024-12-06 04:34:32
- Chaa
- Member
- Registered: 2011-03-26
- Posts: 252
Re: X509 SAN with IP addresses
Use 'IP:192.168.0.42' syntax. For example:
LCert := Cert(caaRS256);
LCert.Generate([cuTlsServer, cuKeyAgreement, cuKeyEncipherment, cuDigitalSignature],
'localhost,IP:127.0.0.1', LRootCA, 90);Offline
#3 2024-12-06 14:24:45
- ulrichd
- Member
- Registered: 2018-07-30
- Posts: 19
Re: X509 SAN with IP addresses
Chaa, thanks for the suggestion, but that only yields:
X509v3 Subject Alternative Name:
DNS:xyz, DNS:localhost, DNS:IP:::1, DNS:IP:127.0.0.1for me when I check the resulting PEM with openssl x509 -noout -text -in test.pem.
it should look like this instead:
X509v3 Subject Alternative Name:
DNS:xyz, DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1Offline
#4 2024-12-06 14:56:55
- Chaa
- Member
- Registered: 2011-03-26
- Posts: 252
Re: X509 SAN with IP addresses
Code from my project:
var
LCert: ICryptCert;
begin
LCert := Cert('x509-rs256');
LCert.Generate([cuTlsServer, cuKeyAgreement, cuKeyEncipherment, cuDigitalSignature],
'localhost,IP:127.0.0.1', LRootCA, 90);
endRun "openssl x509 -noout -text -in cert.pem" with my certificate:
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1I use mormot.lib.openssl11/mormot.crypt.openssl and USE_OPENSSL and FORCE_OPENSSL defines. And call to RegisterOpenSsl.
Offline
#5 2024-12-06 15:22:23
- ulrichd
- Member
- Registered: 2018-07-30
- Posts: 19
Re: X509 SAN with IP addresses
ah, I see.
Sorry, I should have mentioned that I was trying this with just mormot.crypt.x509.
I assume right now there's no way of adding IP addresses to the SAN without falling back on the openssl integration?
Offline
Pages: 1