Can You Get an SSL Certificate for an IPv6 Address? Technical Implementation and Examples


2 views

Yes, it is technically possible to obtain an SSL/TLS certificate for an IPv6 address. While less common than domain-based certificates, major Certificate Authorities (CAs) like DigiCert, GlobalSign, and Sectigo do support IPv6 address certificates when proper validation is performed.

To get an IPv6 SSL certificate:

1. The IPv6 address must be publicly routable
2. You must prove ownership/control of the address
3. The address must be enclosed in square brackets in the certificate

Here's how to create a self-signed certificate for an IPv6 address:

openssl req -x509 -newkey rsa:4096 \
-sha256 -days 3650 -nodes \
-keyout ipv6.key -out ipv6.crt \
-subj "/CN=[2001:db8::1]" \
-addext "subjectAltName=IP:2001:db8::1"

For public CAs, you'll typically need to:

1. Prove control via:
   - DNS PTR record verification
   - HTTP/.well-known challenge on the IP
   - Email verification to admin@[ipv6] (if supported)
   
2. The Subject Alternative Name (SAN) field must contain:
   IP:[2001:db8::1]

Nginx configuration snippet:

server {
    listen [::]:443 ssl;
    server_name [2001:db8::1];
    
    ssl_certificate /path/to/ipv6.crt;
    ssl_certificate_key /path/to/ipv6.key;
    
    # Rest of configuration...
}

1. Browser support varies - most modern browsers accept them but may show warnings

2. Certificate renewal becomes more complex with changing IPv6 addresses

3. Limited CA support compared to domain validation certificates

For most production scenarios, it's recommended to:

1. Assign a domain name to your IPv6 address
2. Get a standard domain-validated certificate
3. Use DNS AAAA records for resolution

Obtaining an SSL certificate for an IPv6 address is indeed feasible, though with some important caveats. The process differs slightly from traditional domain-based certificates but follows the same fundamental principles of PKI.

Example valid IPv6 URL format:
https://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]

Most public CAs have specific policies regarding IP address certificates:

  • Let's Encrypt explicitly prohibits IP address certificates
  • DigiCert offers them but requires extended validation
  • GlobalSign provides them with organization validation

When generating a CSR for an IPv6 address, the Subject Alternative Name (SAN) field should contain the IPv6 address in standard notation:

openssl req -new -newkey rsa:2048 -nodes -keyout ipv6.key -out ipv6.csr

Sample SAN configuration:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 2001:db8::1

For internal/testing purposes, creating your own CA works well:

# Generate CA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

# Sign certificate
openssl x509 -req -in ipv6.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ipv6.crt -days 365 -sha256 -extfile v3.ext

While rare, some organizations use IPv6 certificates for:

  • Internal API endpoints
  • IoT device management
  • Network appliances with web interfaces

Modern browsers generally handle IPv6 SSL certificates correctly, but you might encounter:

  • Warning about IP address in certificate
  • Certificate pinning issues
  • Mixed content warnings with embedded resources