sslcross-domain

Securing a private IP address (https certificate)


I have an unusual use case :

Side question: Since the device is locally connected to the PC, the encryption is pretty useless: Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

Main question: Is it possible to obtain a certificate for a private IP address ?

Edit: it seems that Plex had a similar problem and solved it the way described on this blog. This is a way too big for me.


Solution

  • Is it possible to obtain a certificate for a private IP address ?

    A certificate can be bound to an IP address (see this). You can issue a self-signed certificate to a private address, but a trusted CA will not issue a certificate to a private address because it cannot verify its identity.

    For example, a certificate issued to 192.168.0.1 would be theoretically valid in any context, and this should not be allowed by a trusted CA.

    Plex solves the problem with a Dynamic DNS and a wildcard certificate. The connection are done using the name (not the IP) of the device which is resolved to the private IP.

    Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

    No, it does not exist. The browser blocks your XHR connections because they are HTTP connections initiated from a HTTPS page (mixed-content warning). Non-secure content can theoretically be read or modified by attackers, even though the parent page is served over HTTPs, so it's normal and recommended that the browser warns the user.

    To fix the mixed-content and https errors, you could serve the content through HTTPS and a self-signed certificate, and request users to import your root CA at browser.