Server certificate in which the CN is an unexisting FQDN (intranet)
Our customers frequently ask for server certificates in which the CN is a name (in letters) that does not match an officially declared domain. The list of official root domains is available here.
Unofficial domains used for internal purposes might present a risk for 2 different entities can request a certificate for the same CN. Furthermore, a domain, that is not official today, can become official tomorrow. Indeed it can be bought creating new risks of impersonation.
That's the reason why several certification authorities already refuse to issue such certificates. The standards also require their disappearance as of 2015, further information. There is an exception for reserved domains of RFC 2606 (.test .example .invalid .localhost).
We advise not to use internal domains and to modify the ones that are currently being used, see Rename an active directory domain
Enter an IP address in the certificate's CN field?
By definition, a certificate secures / authenticates what is indicated in the CN (Common Name) field. So, if a fully qualified domain name is provided, the server is not dependent from the IP address. In this case, the web site access will always be valid whether you connect by its IPV4 or IPV6 address (even if the server is behind a router with a local network IP address) as long as you access it by its name (in the browser's URL bar).
Of course, you loose this independence when you enter an IP address in your certificate.
Enter a private IP in your certificate:
We advise not to, for the same reasons than for the intranet FQDN (cf here above).
IP V4 private addresses (RFC 1918):
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0./16.
IP V6 private addresses ( RFC 5156, RFC4193, RFC4291):
IPv6 prefix
- fc00::/7: unique local addresses
- fe80::/10: local addresses of link
Enter a public (official) IP in your certificate:
If you need a certificate for a public IP address, ask your ISP or hosting company if this IP actually attributed to your organization's name (field O of the CSR) (it is sometimes provided by professional subscriptions). It will link the IP address owner and the certificate requester.
Soon, with the new IPv addresses, this correspondence between an IP address and an organization should become more common (via a simple request to your ISP or hosting company), and might even be automated at the subscription.
Get more information about obtaining a server certificate and generating the certificate request: CSR: click here