Using an IP Address in an SSL Certificate
The lowdown on IPs in SSL certificates
We're often asked if an IP address can be used in an SSL certificate in place of a fully qualified domain name. The short answer is yes, but we don't recommend it. If your IP address changes your SSL certificate can become useless.
If you decide that you really need an IP in your cert there are specific stipulations, conditions, and limitations to consider.
Requirements and restrictions on IP addresses in SSL certificates
- Public IP addresses only (e.g., 220.127.116.11)
- Reserved IP addresses (local) are not allowed (e.g., 10.0.0.0)
- Domain Validated (DV) and Organization Validated (OV) certificates only (EV certs cannot have an IP address)
- You must prove that you control the IP by hosting a .txt file containing a generated random string token at a predetermined location on your website. This token and instructions will be provided to you after submitting your IP SSL order. You'll want to review the steps required to prove IP ownership by the HTTPS File-based Token DCV method before placing an IP certificate order.
Which SSL certificate products will support a public IP address?
- Any of the first 3 DV (non-wildcard) certificates offered on this page: https://www.geocerts.com/dv-domain-validated-ssl-certificates
- Any of the first 3 OV (non-wildcard) certificates offered on this page: https://www.geocerts.com/ov-organization-validated-ssl-certificates
Can I add an IP Address as a SAN mixed with other IP Addresses or FQDNs?
Yes! You can add a SAN for an IP Address to any non-EV Multi-domain Certificate. The SANs must meet the same requirements and restrictions mentioned above.
If you absolutely cannot prove you control the IP
If you cannot prove your organization has been assigned the IP by placing a .txt file on your web server, there is a workaround, but it's not recommended as a first choice. The vetting team can attempt to call the Point of Contact (POC) listed on the WHOIS for your IP address to confirm you have permission to use the IP. Please understand that while the vetting team can attempt to place a call to the POC, there's no guarantee the POC will call them back.
To see the underlying WHOIS information for your IP you can use the following links that are approved for official IP contacts and assignments.
- ARIN - American Registry for Internet Numbers
- AFRINIC - African Network Information Center
- APNIC - Asia-Pacific Network Information Centre
- LACNIC- Latin America and Caribbean Network Information Centre
- RIPE NCC - Réseaux IP Européens Network Coordination Centre
When using ARIN you don't need an account. Type your IP in the upper-right corner of the page in the SEARCH WhoisRWS box.