Securing a Public IP Address - SSL Certificates

Jul 11, 2020

Securing a Public IP Address - SSL Certificates

Introduction

An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.example.com". However, some organizations need an SSL certificate for a public IP address. GlobalSign offers support for IP addresses on SSL certificates both in the common name and Subject Alternative Name (SANs) fields.
 

Ordering and Compatibility

Public IP addresses are supported on GlobalSign's OrganizationSSL certificates. Other variations, such as DomainSSL and ExtendedSSL, do not support the securing of an IP address. While an IP address can be specified as a common name or as a Subject Alternative name, there are compatibility factors that should be taken into account before deciding how to order.

If you are targeting Windows 10 and later, you can populate the IP address in either field. If however, you are targeting Windows 8.1 and earlier, you should only specify the IP address as the common name.

In order to maintain compliance with RFC 5280, subject alternative names have a value that specifies the content type. For example, a SAN for www.example.com would be specified as dNSName and a SAN for 123.456.78.90 would be specified as iPAddress. Proper handling for the iPAddress SAN type was added in Windows 10, versions prior to this will not process iPAddress SANs properly.

For this reason, if you need to target Windows versions prior to 10, order the certificate with the desired IP address as the common name; earlier versions of Windows will validate from the common name instead of the iPAddress SAN entry.

Note: Only public IP addresses can be used on OrganizationSSL certificates. You must be the owner of the public IP address as per the records held with the RIPE Network Coordination Centre (NCC). Internal IP addresses may be secured with GlobalSign's IntranetSSL certificates.