How to TLS/SSL secure an internal web server?

StackOverflow https://stackoverflow.com/questions/22788067

  •  25-06-2023
  •  | 
  •  

Question

I am developing an https-based web server on my machine. This currently works with a self-signed certificate. Of course, my browsers complain about it, but it is okay for me to skip this check and accept my very own certificate.

Now I would like a co-worker to be able to access my https server as well. My machine does neither have an internal host name setup nor a static IP address.

Of course, if I create a certificate for localhost, it will not work for him - as localhost for him is his machine, not mine.

How can I solve this issue?

Is the only way to assign a static IP address or to setup a host name? Is it possible to get a certificate that matches any IP and / or hostname?

(Please note that I know that this is quite counterintuitive to what certificates are meant for, and I highly doubt that you will find someone trust-worthy who issues a certificate for anything, but I still have hope ;-). At the moment, we do not need it for authentication, just for testing. We would replace it with a valid certificate later on.)

Was it helpful?

Solution

You can issue a certificate to multiple Subject Alternative Names (e.g. localhost, machine001.local and 192.168.0.15). Note that, for IP addresses, the SAN must be of type IP address. Most tools that let you do this will let you specify the type (XCA is one of them for example).

I'm not sure how your co-worker can access your machine if it doesn't have either an internal host name or a static IP address. Perhaps you could use something like mDNS to give it a .local name anyway. Alternatively, you can use dynamic DNS services. They would also work even if they resolve the DNS to an IP address that is only routed on your LAN.

Ideally (since you don't want to use a commercial CA), you should create a CA (again, XCA can help) and distribute your CA certificate to your co-workers. In this case you wouldn't even have to add exceptions.

Having a certificate that matches any IP address or hostname wouldn't work. You normally can't have wildcards with IP addresses, and most browsers require more than one "label". Some implementations even make sure you have enough to fall within the scope of an actual domain (e.g. *.something.com or *.something.co.uk).

(Some browsers would let you add exceptions that also comprise the name mismatch (Firefox is one of them), so in this case, the names are not particularly relevant.)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top