Is it possible to generate a certificat with CN contains only asterisk

MOHAMED

4/24/23, 11:39 AM

I am developing a web server for a local device. The device will be accessed locally and not from outside using local ip address. I generated a certificate using openssl with CN=* in order to avoidethe hostname check.

But this return another error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.17.31', port=443): Max retries exceeded with url: /lua/device (Caused by SSLError(SSLCertVerificationError("sole wildcard without additional labels are not support: '*'.")))

my computer does not know the hostname of the device. but it know the ip address. and I want that the cert validation made automatically and not manually using public key from my computer

How to make a certificate that does not generate error in the hostname check ?

0 + 0

security

https

openssl

ssl-certificate

NiKiZe

4/24/23, 1:14 PM

Generating a certificate is most likely fine, you probably already did. The question is if it is valid and if you can use it. Even matching on IP can be hard (not allowed in SNI).

dave_thompson_085

4/25/23, 12:25 AM

Note there are two parts to cert validation: (1) is it signed by a trusted CA (and not modified), and not out-of-validity or revoked? (2) does the host's certified identity (in SAN if present else CN) match the name in the requested URL? Only (1) uses root-CA public keys stored on your machine; (2) uses the name in the URL.

Score:1

Server

AlexD

4/24/23, 12:26 PM

You can issue a certificate for the known IP using Subject Alternative Name (SAN).

0 + 0

NiKiZe

4/24/23, 1:05 PM

However, remember that SNI does not allow match on IP. So might cause issues.

AlexD

4/24/23, 2:04 PM

@NiKiZe when a site is accessed with an IP like `https://1.1.1.1/` then SNI isn't initiated at all.

dave_thompson_085

4/25/23, 12:21 AM

Using SAN is better practice, but most clients other than Chrome(ium?) -- including python requests -- accept the 'traditional' IPaddr-in-CN also.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to generate a certificat with CN contains only asterisk

TH: เป็นไปได้ไหมที่จะสร้างใบรับรองด้วย CN ที่มีเครื่องหมายดอกจันเท่านั้น

RO: Este posibil să generați un certificat cu CN care conține doar asterisc

RU: Можно ли сгенерировать сертификат с CN, содержащим только звездочку

VI: Có thể tạo chứng chỉ với CN chỉ chứa dấu hoa thị không

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.