ACME-Server-ADCS icon indicating copy to clipboard operation
ACME-Server-ADCS copied to clipboard
verified publisher icon glatzert

Do you plan to support RFC8738 for IP-Adresses in Certs?

Open aleschmidt opened this issue 9 months ago • 1 comments

RFC Allow IP-Addresses in Certs: https://www.rfc-editor.org/rfc/rfc8738.html

aleschmidt avatar Mar 06 '25 09:03 aleschmidt

Currently only dns identifiers are supported, but this one looks rather simple to do. So I'd say yes - possible and will be implemented in the future.

glatzert avatar Mar 07 '25 13:03 glatzert

https://github.com/glatzert/ACME-Server-ADCS/releases/tag/V3.0.0-alpha1 now implements RFC 8738. It's not tested on a server yet, but it feels promising, since it's not too far from dns with http-01

glatzert avatar Apr 21 '25 11:04 glatzert

Hi,

Thank you for your fast deployment of the V3 alpha. I tested it with different ACME Clients and all come to an issue before requesting csr to ADCS. Regarding the Logs in Debug mode the Th11s.ACMEServer.CertProvider.ADCS.CSRValidator who is using module AlternateNameValidator.cs allow the csr validation check only for XCN_CERT_ALT_NAME_DNS_NAME and has no case for XCN_CERT_ALT_NAME_IP_ADDRESS.

Hope this feedback will help you. :)

aleschmidt avatar Apr 25 '25 12:04 aleschmidt

I just release alpha2, which also has a test supporting that IPv4 and v6 are now properly validated during CSR/SAN validation

glatzert avatar Apr 25 '25 19:04 glatzert

This is done and together with profile support is configurable in 3.0.0. I'll publish a new build in some days.

glatzert avatar May 15 '25 13:05 glatzert