A PCI Compliance scanner is balking that the self signed SSL certificate protecting secure access to Plesk Panel contains a name mismatch between the location of the Plesk Panel and the name on the certificate, namely the self-signed cert’s name is “Parallels” and the domain to reach Plesk is ‘ip address:8443’.
So I figured I would go ahead and get a free SSL certificate to try to fiddle with this error. But when I generated the certificate I used my server domain name as the site name when I generated the certificate. So if I visit ‘domain name:8443’ all is fine, no ssl warning. But if I visit ‘ip address:8443’ (which I believe is what the scanner does) I get the certificate name mismatch error, Digicert’s ssl checker says that the certificate name should be the ip address.
Can I even generate a certificate whose common name is the ip address? I am tempted to say I should just do what the PCI scanner accepts, but what is really the correct common name to use? Anybody run into this issue before?
3
Answers
You can try a Subject Alternative Name extension for the IP address. Also, you can keep “Parallels” as the Common Name, and add a Subject Alternative Name extension for the DNS name, which should be the preferred match (i.e. higher precedence than Common Name.)
(Thanks Bruno for pointing to right solution) There is enough to set subjectAltName in CSR.
IFAIK there is no such option in Plesk, but here good instruction for openssl http://apetec.com/support/GenerateSAN-CSR.htm
No, you shouldn’t. While this may work with some browser, this will fail with clients that are compliant with the HTTPS specification:
If you want to use an IP address in a certificate, you must have it in as a Subject Alternative Name (of type IP address, not DNS). You can check this question for details on how to do this.
However, more importantly, it sounds like in your case you don’t need to use the IP address at all.
The purpose of certificate name verification is to check that the identity in the certificate matches the identity as requested by the client. (Reverse lookups or other names don’t matter.)
The fact that you’ve already configured your system for your domain name and that it works when using the name means that it’s already configured properly. It sounds like your giving your scanning tool the IP address of what you’re trying to scan (which isn’t what the clients would normally use): make it use your host name instead. That’s what the scanning tool should try to compare anyway.