CSR Certificate Help

Question

Good Morning! Dear Sophos Community, Could you help me to understand about an issue, We are following a sophos KB support.sophos.com/.../KB-000041071 Which shows us how to generate the CSR certificate to be sent to the CA for signature, so far so good. The data that we must put in the certificate would be our local IP of the device, the big question mainly of my manager is whether the signature of the CA company that sends us the certificate will work for our model that we need, which is to put our Captive portal valid and safe for users who are going to use the wifi network. This signed certificate will it be recognized in the CA, even getting our local data? 
 I really need your help to understand this certificate process.

PhilippRusch · Accepted Answer

The only "connection" between DNS-names (used in a crtificate) and an IP-address is a DNS-Server and its information about which hostname has which IP. That's it! 
 There is no field inside SSL-certificates for an IP address, believe me. 
 So you can't "order" an SSL-certificate for a particular IP, only for a NAME. 
 And, yes, that name has to be a "real" host and domainname, you can't put "server1.company.local" here.

PhilippRusch · Answer

Hello, 
 Certificate are not dealing with IP-addresses. They are about DNS-Names like "mysophosgateway.yourdomain.com". 
 Whatever your DNS-Server resolves to this name, is valid for your clients. 
 Simply put: your internal DNS-Server can resolve the name "mysophos.yordomain.com" to e.g. 192.168.111.254 for your Sophos-FW internal LAN interface and everything is fine. 
 BUT: of course you need to own "yourdomain.com" to have a valid DNS-name in your (pubic) certificate which can be validated somehow by a public CA.

CSR Certificate Help

Top Replies