Home » Java » java – How to create a SSL certificate for a host without domain?-Exceptionshub

java – How to create a SSL certificate for a host without domain?-Exceptionshub

Posted by: admin February 25, 2020 Leave a comment

Questions:

I am testing and debugging a system where application A submits a POST request to a URL when some event occurs. One of my programs, application B, must react to this event.

Application A requires that the URL uses HTTPS. I don’t want to use a self-signed certificate because it may cause problems (curl complains about the self-signed certificate when I test it locally).

Letsencrypt can create a SSL certificate for free, but requires a domain. This is a problem for me because application B runs on a virtual machine. Whenever the machine is restarted, it gets a different IP address. Currently, there is no domain associated with that machine (i. e. you can only access it via a URL like http://aaa.bbb.ccc.ddd/).

Is there a way to use a non-self-signed certificate for an application without domain (i. e. one that runs on a URL like http://aaa.bbb.ccc.ddd/)? If not, what is the easiest way to make a Spring boot application (application B) support a non-self-signed SSL certificate?

There is one answer suggesting to create one’s own certificate authority and installing it on all machines that access the URL. This is not an option for me because I have no control over application A.

Update 1: Application B runs on an EC2 instance in AWS.

How to&Answers:

Letsencrypt can create a SSL certificate for free, but requires a domain. This is a problem for me because application B runs on a virtual machine. Whenever the machine is restarted, it gets a different IP address.

It does not matter if the IP changes since all what is checked is the domain name. Thus, if the machine gets a new IP address you need to update the DNS to point to this new domain name.

In general the client will check if the subject/SAN of the certificate matches the domain in the URL. It is not possible to get a certificate which is generic enough to cover all the IP addresses you could get. Thus, having your own fixed domain name with a dynamic IP address behind it is the way to go if you want to use normal clients to access the site.