I haven’t tried this but searching google shows SSL.com does allow it granted you can demonstrate the requirements:
The IP address you wish to secure must be public, and your organization must own it.
The IP address ranges 10.x.x.x and 192.168.x.x are prohibited.
A WHOIS lookup of the IP address should show your organization’s name, address, phone number, and email contacts (not your web hosting provider’s).
Control over the IP address must be demonstrated by the HTTP/HTTPS file lookup method. The email challenge response and DNS CNAME lookup methods may not be used to validate an IP address.
If you are ok with ipv6, you can get a /48, and a 4-byte ASN for a few hundred dollars for the registration fee. The 4-byte ASN isn’t even necessary. You can then use AWS/Oracle/AliBaba or some other public cloud to advertise your registered ipv6 address block on your behalf. A whois will show the details you used with the registrar.
I’m pretty sure most browsers will straight up refuse to load content from bare IPv6 adresses regardless of cert status no? I remember having problems with this with an internal CA.
Right, it can be done, but would require a CA who supports that, not all do. For example, Let’s Encrypt doesn’t allow bare IP addresses. I was assuming the question about an IP address was raised due to aversion to purchase a domain name. If so, then TLS certificate is another cost to consider and if not using a domain name, then the main free option becomes unavailable.
there is a general “encrypted transport” requirement which in real world use mandates HTTPS (although it’s worded broadly to allow for onion services and whatnot which provide their own encryption outside TLS)
Having not read the spec, if there are any requirements for HTTPS, you most certainly will need a domain name for the TLS certificate.
SAN does support IPs.
If you can point me to a CA that will allow your to request a cert for an IP address that’d be great
I haven’t tried this but searching google shows SSL.com does allow it granted you can demonstrate the requirements:
10.x.x.xand192.168.x.xare prohibited.So you need to own and operate your own ASN. I guess that’s better than what I thought but it’s nowhere near attainable for regular people.
If you are ok with ipv6, you can get a /48, and a 4-byte ASN for a few hundred dollars for the registration fee. The 4-byte ASN isn’t even necessary. You can then use AWS/Oracle/AliBaba or some other public cloud to advertise your registered ipv6 address block on your behalf. A whois will show the details you used with the registrar.
I’m pretty sure most browsers will straight up refuse to load content from bare IPv6 adresses regardless of cert status no? I remember having problems with this with an internal CA.
Googleing it, is this relevant? https://superuser.com/a/367788
Not really. I ça t find an official source for this so maybe this has been fixed but from what I remember this was explicitly disabled for security.
https://support.pelco.com/s/article/You-cannot-access-an-IPV6-address-with-Firefox-through-HTTPS-1538586631284?language=en_US
Right, it can be done, but would require a CA who supports that, not all do. For example, Let’s Encrypt doesn’t allow bare IP addresses. I was assuming the question about an IP address was raised due to aversion to purchase a domain name. If so, then TLS certificate is another cost to consider and if not using a domain name, then the main free option becomes unavailable.
there is a general “encrypted transport” requirement which in real world use mandates HTTPS (although it’s worded broadly to allow for onion services and whatnot which provide their own encryption outside TLS)