Home > database >  self-signed certificate SANs ignored in wss connection
self-signed certificate SANs ignored in wss connection

Time:11-30

Web service can be accessed both via IP and DNS.
A self-signed certificate containing the DNS as common name, and both the DNS and IP as subjectAlternativeName is created with the following command

openssl req \
  -x509 \
  -nodes \
  -subj "/O=www.example.com/CN=${domain_name}" \
  -addext "subjectAltName=DNS:${domain_name},IP:${ip_addr}" \
  -newkey rsa:4096 \
  -keyout /path/to/key.pem \
  -out /path/to/cert.pem \
  -addext "extendedKeyUsage = serverAuth" \
  -days 365

Opening the webpage through the IP address and accepting the browser warning works.
The page initiates a new WSS connection to the DNS but fails because of an invalid certificate.

How should I setup my certificate so browsers trust both the IP and the domain name when starting a wss connection

CodePudding user response:

Adding a security exception when accepting the security warning about untrusted certificate is not done for the certificate, but for the combination of certificate and domain and port from the URL. Since the HTML is accessed by IP address but the websocket by hostname the exception added for the first will not cover the second.

The best way is not to accept security warnings in the first place, but instead to add the certificate as trusted in the browser. In this case the certificate will be trusted for all the IP and domains given in the certificate.

  • Related