How to Get an SSL Certificate for Public IP Address: Solutions for Bug Trackers and Internal Tools


2 views

html

Many developers encounter this exact scenario: You've got an internal tool (like a bug tracker, CI server, or monitoring dashboard) running on a dedicated server with only a public IP address. Standard SSL providers like Comodo reject certificate requests because they typically require domain validation (DV) through DNS or HTTP methods.


# Typical error you might see:
Error: Certificate issuance failed - Domain validation not possible for IP addresses

Certificate Authorities have largely phased out IP-based certificates due to:

  • Security concerns (easier to spoof IPs than domains)
  • IPv4 address exhaustion making validation problematic
  • Lack of standardized validation methods

Option 1: Specialized Certificate Providers

These CAs still offer IP certificates:

  • DigiCert (their Enterprise PKI solution)
  • Sectigo (formerly Comodo Enterprise SSL)
  • GlobalSign (through their enterprise division)

# Example openssl CSR generation for IP cert:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
# When prompted for "Common Name", enter your public IP (e.g., 203.0.113.45)

Option 2: Self-Signed Certificate with Client Trust

For internal tools, this might be sufficient:


# Generate self-signed cert:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout server.key -out server.crt -subj "/CN=203.0.113.45" \
  -addext "subjectAltName=IP:203.0.113.45"

Option 3: Local DNS Mapping

Create a cheap domain (even .local) and point it to your IP:


# Example Nginx config:
server {
    listen 443 ssl;
    server_name bugs.yourcompany.local;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    # Rest of your config...
}

When configuring your web server:

  • Modern browsers require Subject Alternative Name (SAN) extension for IP addresses
  • Include both the IP in CN and SAN fields
  • Consider certificate lifetime - IPs change more often than domains

For security-conscious teams:


# WireGuard example config:
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = [your_private_key]

[Peer]
PublicKey = [client_public_key]
AllowedIPs = 10.8.0.2/32

This eliminates the need for public IP access entirely.

While working on our internal bug tracking system hosted on a dedicated server, we encountered a common infrastructure challenge: securing direct IP access with SSL. Many developers face this when:

  • Running internal tools without domain names
  • Testing environments with direct IP access
  • Industrial IoT devices with static IPs

Most CA providers like Comodo reject IP addresses due to security policies and baseline requirements from the CA/Browser Forum.

After extensive research, here are the viable solutions:

1. DigiCert IP SSL Certificates

DigiCert offers specialized certificates for public IPs. Example OpenSSL CSR generation:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/CN=203.0.113.45"

Validation requires proving ownership of the IP block via:

  • WHOIS record verification
  • Reverse DNS control
  • HTTPS file verification

2. Self-Signed Certificates with Automation

For internal development environments, a self-signed certificate might suffice:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout ip.key -out ip.crt -subj "/CN=203.0.113.45" \
  -addext "subjectAltName=IP:203.0.113.45"

Browser warning bypass solutions:

# Chrome (Linux/Mac)
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
  --ignore-certificate-errors \
  --ignore-urlfetcher-cert-requests \
  --allow-insecure-localhost https://203.0.113.45

3. Reverse Proxy with Domain Certificate

Practical workaround using Nginx:

server {
    listen 443 ssl;
    server_name bugtracker.internal;
    ssl_certificate /path/to/domain.crt;
    ssl_certificate_key /path/to/domain.key;
    location / {
        proxy_pass http://203.0.113.45:8080;
        proxy_set_header Host $host;
    }
}

For production environments serving multiple clients:

  • GlobalSign offers Organization Validation (OV) certificates for IPs
  • DigiCert's Enterprise PKI can issue internal certificates
  • Consider implementing a proper domain name (e.g., bugtracker.yourcompany.com)

When implementing SSL for IP addresses:

  1. Always verify IP ownership before certificate issuance
  2. Implement certificate pinning for critical services
  3. Monitor for certificate expiration (IP certs typically have shorter validity)
  4. Consider implementing client certificate authentication for additional security