TLS Cert for unknown IP (shippable software)

Stephen Collins asked:

I am writing a distributed application that will be sold to multiple customers and hosted on premise. This application operates as a distributed system where many of the same applications communicate with each other over HTTPS as RESTful services.

Knowing I have no control over the IP address or domain name these application use I still need a default TLS certificate that ships with the app (is overridable to meet security compliance).

I can specify a wildcard name for my CN field in openssl as * but when a node tries to reach another node the cert doesn’t match with the IP address it is hosted on.

Python requests library gives an error: WARNING:urllib3.connection:Certificate did not match expected hostname: 192.168.1.150.

  • I am not asking about the above error this is just to describe my problem.

Example

HostA: 192.168.1.150:5000

HostB: 192.168.1.151:5000

Cert CN: *

HostB -> HostA Doesn’t work because the cert doesn’t specify 192.168.1.150 as an address.

Is there a proper way to handle this? I know some routers ship with default certs but they have control over their host address.

My answer:


You can certainly ship a default TLS certificate. What you can’t do is make it not throw security warnings. It’s up to the end user to replace the certs if this is an issue for them, and it’s up to the developer of the product to make that as convenient as possible.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.