Bind Certificate to IP Address

TL;DR

You want a specific certificate used only when someone connects to your server using a particular IP address. This guide shows how to do it, covering common methods like 802.1x and general secure protocol configurations.

Understanding the Problem

Normally, certificates are bound to domain names (like www.example.com). Binding to an IP address is less common but useful for specific scenarios – perhaps a test environment, internal services, or when you don’t have a DNS record.

Solution Guide

1. Choose Your Secure Protocol: The steps vary depending on what protocol you’re using. Common options include:
   • 802.1x (Port-Based Network Access Control): Often used in enterprise networks for wired and wireless access.
   • TLS/SSL (HTTPS): The standard secure web protocol.
   • VPNs (e.g., OpenVPN, WireGuard): Secure tunnels for remote access.

   This guide will cover general principles applicable to most protocols, with specific notes where relevant.

2. Certificate Requirements: You’ll need a valid SSL/TLS certificate. This can be:
   • A publicly trusted certificate from a Certificate Authority (CA).
   • A self-signed certificate (for testing, but not recommended for production).
3. Configure Your Server: The core of the process involves telling your server which certificate to use when connections come in on the target IP address. This is done within the server’s configuration files.
   • Apache (HTTPS): Edit your virtual host file (e.g., /etc/apache2/sites-available/your_site.conf). Add a new block specifically for the IP address:

     <VirtualHost 192.168.1.100:443>
         ServerName your_ip_address
         DocumentRoot /var/www/your_site
         SSLEngine on
         SSLCertificateFile /path/to/your/certificate.crt
         SSLCertificateKeyFile /path/to/your/private.key
     </VirtualHost>

     Restart Apache: sudo systemctl restart apache2

   • Nginx (HTTPS): Edit your server block file (e.g., /etc/nginx/sites-available/your_site). Add a new server block for the IP address:

     server {
         listen 443;
         server_name 192.168.1.100;
         root /var/www/your_site;
     
         ssl_certificate /path/to/your/certificate.crt;
         ssl_certificate_key /path/to/your/private.key;
     }
     

     Restart Nginx: sudo systemctl restart nginx

   • 802.1x (RADIUS Server): Configure your RADIUS server (e.g., FreeRADIUS) to request a client certificate during authentication. The server will then validate the certificate against a trusted store, and you can associate specific IP address ranges with allowed certificates.

     This typically involves configuring EAP-TLS or similar protocols in your RADIUS configuration.

4. Firewall Configuration: Ensure your firewall allows traffic on the relevant port (e.g., 443 for HTTPS) to the target IP address.

   sudo ufw allow from 192.168.1.0/24 to any port 443

5. Testing: Use a tool like OpenSSL or a web browser to connect to the IP address and verify that the correct certificate is being served.

   openssl s_client -connect 192.168.1.100:443

6. Troubleshooting:
   • Certificate Errors: Double-check the paths to your certificate and private key in your server configuration. Ensure the permissions are correct (private key should be readable only by the server user).
   • Firewall Issues: Verify that your firewall is allowing traffic on the correct port.
   • DNS Resolution: If you’re using a domain name alongside an IP address, ensure DNS is resolving correctly.