带有通配符IP的证书subjectAlternativeName [英] Certificate subjectAlternativeName with wildcard IP

问题描述

我需要创建一个证书，该证书将用作隔离LAN中任何随机主机上的TLS服务器授权.为此，我可以在subjectAlternativeName字段中使用一些通配符代替IP域名(例如10.0.0.255或10.0.0.0/24)吗?

i need create a certificate, which will be used as TLS server authority on any random host in the isolated LAN. Can i use in the subjectAlternativeName field some wildcard for IP instead domains like 10.0.0.255 or 10.0.0.0/24 for that purpose?

P.S.局域网中的任何主机都可以作为服务器分布式网络的客户端，这些服务器可以在任何主机上启动并连接到负载均衡器后面的动态动态贪婪，负载均衡器管理此折痕网络中的连接)

P.S. any host in the LAN can be client for distributed net of servers, which are can be started on any host and connected to fluid dynamic greed behind load balanser, which manage connections in this crease network )

推荐答案

RFC2818 (假设您正在谈论HTTPS)必须对此说:

Here is what RFC 2818 (assuming you're talking about HTTPS) has to say on this:

In some cases, the URI is specified as an IP address rather than a 
hostname. In this case, the iPAddress subjectAltName must be present  
in the certificate and must exactly match the IP in the URI.

这将排除使用通配符或子网表示法.

This would exclude usage of wildcard or subnet notations.

最新的 RFC 6125 ，其目的是在整个范围内统一标识其他协议，则将IP地址明确排除在其范围之外.

The more recent RFC 6125, which aims to harmonise identification across other protocols, explicitly excludes IP addresses from its scope.

话虽这么说，您可能会发现那里有一些不合规的客户端，它们都有自己的解释(例如，有些允许使用主题DN的CN中的IP地址).我不建议一般指望它.

This being said, you may find that there are some non-compliant clients out there with their own interpretation (there are some that allow usage of an IP address in the CN of the Subject DN, for example). I wouldn't recommend counting on it generally.

您想在所谓的隔离LAN"上完全使用TLS似乎有点令人惊讶.此外，如果您控制该LAN，则可以为计算机分配名称并使用主机名matchine.

It seems a bit surprising that you'd want to use TLS at all on what you call an "isolated LAN". In addition, if you're in control of that LAN, you could assign names to your machines and use hostname matchine.

这篇关于带有通配符IP的证书subjectAlternativeName的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！