How to generate correct CSR when the IP address is in CN or SAN? Please ensure that the IP address is mentioned in the SAN extension as IP Address and DNS Name.
When an internal/external IP Address is part of Common Name (CN) or Subject Alternative Name (SAN) care needs to be taken while generating the CSR.
If not done correctly then the latest browsers like Chrome and Edge give an error – “Your connection to this site is not secure.” Note that deprecated Microsoft Internet Explorer does not give any error in this case.
To avoid this problem please ensure that the IP address is mentioned in the SAN extension as DNS Name and IP Address.
A sample configuration file is shown below for Multi-domain Certificate with 1+3 SAN values, where CN has IP-Address-1 and SAN values are IP-Address-2, SAN-1, and SAN-2.
———
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
[dn]
CN = IP-Address-1
O = Org Name
L = Location/City
ST = State/Province
C = 2 digit code
[ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = IP-Address-1
IP.2 = IP-Address-2
DNS.1 = IP-Address-1
DNS.2 = IP-Address-2
DNS.3 = SAN-1
DNS.4 = SAN-2
———
Leave a Reply