引用:https://stackoverflow.com/questions/1095780/are-ssl-certificates-bound-to-the-servers-ip-address
An SSL certificate cannot be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix.(不能为保留的IP地址(RFC 1918和RFC 4193范围)/私有IP地址(IPv4, IPv6)、内部网用于内部服务器名、带有非公共域名后缀的本地服务器名颁发SSL证书。)
A certificate can be bound to an IP address . You can issue a self-signed certificate to a private address, but a trusted CA will not issue a certificate to a private address because it can not verify its identity.(证书可以绑定到一个IP地址。您可以向私有地址颁发自签名证书,但受信任的CA不会向私有地址颁发证书,因为它无法验证其身份。)
For example a certificate issued to 192.168.0.1 would be theoretically valid in any context, and this should not be allowed by a trusted CA(例如,发给192.168.0.1的证书理论上在任何上下文中都是有效的,而受信任的CA不应该允许这样做)
引用:https://blog.csdn.net/u012912380/article/details/93173058
IP的SSL证书有两种,一种是DVSSL,另外一种是OVSSL:
DVSSL: 这种证书无论是企业还是个人均可申请,只需要验证IP地址的管理权限。同时支持多个IP绑定在一起。颁发只需要30分钟左右。 OVSSL 这种证书只能企业等单位性质的用户才能申请,除了验证IP的管理权限之外,还需要验证企业的身份。当然得到的证书和上面的DVSSL也是不一样的。颁发需要1-3工作日IP地址申请SSL证书需要满足以下条件:
IP必须是公网IP;申请者对申请SSL证书的IP具有管理权限;申请者可以是企业,组织机构,也可以是个人;IP可以申请OVSSL(企业型SSL证书)或DVSSL证书(基础验证级证书);IP只能申请单个IP,或者多个IP绑在一起的SSL证书,目前不支持IP段的通配。 审核流程与企业型SSL证书和域名型SSL证书基本一致。引用:https://blog.csdn.net/ustccw/article/details/76691248
本地生成SSL相关文件 3.1 证书生成脚本 我们自己本地使用 makefile.sh 脚本建立一个CA(ca.crt + ca.key),用这个CA给server和client分别颁发证书。
makefile.sh
# * Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the axTLS project nor the names of its # contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY # OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Generate the certificates and keys for testing. # PROJECT_NAME="TLS Project" # Generate the openssl configuration files. cat > ca_cert.conf << EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = $PROJECT_NAME Dodgy Certificate Authority EOF cat > server_cert.conf << EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = $PROJECT_NAME CN = 192.168.111.100 EOF cat > client_cert.conf << EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = $PROJECT_NAME Device Certificate CN = 192.168.111.101 EOF mkdir ca mkdir server mkdir client mkdir certDER # private key generation openssl genrsa -out ca.key 1024 openssl genrsa -out server.key 1024 openssl genrsa -out client.key 1024 # cert requests openssl req -out ca.req -key ca.key -new \ -config ./ca_cert.conf openssl req -out server.req -key server.key -new \ -config ./server_cert.conf openssl req -out client.req -key client.key -new \ -config ./client_cert.conf # generate the actual certs. openssl x509 -req -in ca.req -out ca.crt \ -sha1 -days 5000 -signkey ca.key openssl x509 -req -in server.req -out server.crt \ -sha1 -CAcreateserial -days 5000 \ -CA ca.crt -CAkey ca.key openssl x509 -req -in client.req -out client.crt \ -sha1 -CAcreateserial -days 5000 \ -CA ca.crt -CAkey ca.key openssl x509 -in ca.crt -outform DER -out ca.der openssl x509 -in server.crt -outform DER -out server.der openssl x509 -in client.crt -outform DER -out client.der mv ca.crt ca.key ca/ mv server.crt server.key server/ mv client.crt client.key client/ mv ca.der server.der client.der certDER/ rm *.conf rm *.req rm *.srl