The identifier that you need to put in the certificate should be the one you are looking for through the URL. For example, if you use https://www.example.net , your certificate must be valid for www.example.net ; if you use https://10.0.0.1/ your certificate must be valid for 10.0.0.1 .
The common RDN in the DN of the subject of the certificate is usually used only when (a) there is no DNS name for the alternate name of the subject and (b) it looks for the host name, not the IP address. This is defined in RFC 2818 Section 3.1 :
If a subjectAltName extension of type dNSName is present, it MUST be used as an identifier. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is an existing practice, obsolete and certification authorities are encouraged to use dNSName.
[...]
In some cases, the URI is indicated as an IP address rather than a host name. In this case, the subject name iPAddressAltName must be present in the certificate and must exactly match the IP in the URI.
In general, using an IP address in certificates is not recommended (see the problems mentioned in RFC 6125. However, if you really need to, you will need a certificate with an IP address, this is a SAN-type entry of the IP address type you can create, as described in this answer .
Bruno
source share