How does SSL certificate map to server IP when it is issued for domain name?

variable

3/8/23, 10:35 AM

I have an apache webserver on say a public IP address x.x.x.x

I have purchased a domain name somename.com

My administrator has mapped the IP address to the domain name.

I have a SSL certificate issued for the domain name and this is installed on the web server.

When a user (browser) enters the web url, the request will go to the IP address (web server, via the DNS server). The web server will respond to the user (browser).

But the SSL certificate is mapped only to domain name, not IP address. So how does SSL certificate map to server IP when it is issued for domain name?

312

0 + 0

domain-name-system

ssl

ssl-certificate

Score:4

Server

Crypt32

3/8/23, 11:02 AM

So how does SSL certificate map to server IP when it is issued for domain name?

it doesn't. If certificate is issued to some domain name, then no one cares web server's IP address where resource is located. TLS client checks if requested address (in address bar, for example), matches the name in server certificate. No one cares about IP address, because it is used only for transport and routing purposes.

If there would be a map to IP address, then you would have to acquire a new certificate every time your IP is changed. This is why DNS was invented.

0 + 0

variable

3/8/23, 12:35 PM

So do I have to install the SSL on web server or at DNS level?

Crypt32

3/8/23, 12:56 PM

On web serer. DNS is only a functionality that resolves names to IPs.

variable

3/8/23, 3:14 PM

So the certificate only ensures that the browser is able to validate the name? It doesn't prevent attack wherein say if the dns is hacked and takes the user to attackers web server then user (browser) will be unaware?

hardillb

3/8/23, 3:30 PM

But the attacking HTTP server should not be able to get a (valid) certificate that matches the hostname. (There is also a separate system called DNSSEC which can be used to validate DNS hostname to IP address mapping)

Crypt32

3/8/23, 3:35 PM

`if the dns is hacked` -- correct, if DNS is hacked/poisoned, you will be routed anywhere else. However, browser will fail connection because rogue website must present legit certificate and possess the private key. In other words, have exact certificate with private key as legitimate one.

variable

3/9/23, 4:47 AM

The web server must possess the private key (that was used to create the certificate), otherwise the web server will not be able to decrypt the request - got it!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How does SSL certificate map to server IP when it is issued for domain name?

TH: ใบรับรอง SSL จะจับคู่กับ IP ของเซิร์ฟเวอร์อย่างไรเมื่อมีการออกใบรับรองสำหรับชื่อโดเมน

RO: Cum se mapează certificatul SSL la IP-ul serverului atunci când este emis pentru numele de domeniu?

RU: Как SSL-сертификат сопоставляется с IP-адресом сервера, когда он выдается для доменного имени?

VI: Làm cách nào để chứng chỉ SSL ánh xạ tới IP máy chủ khi nó được cấp cho tên miền?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.