HTTPS with IP address or Azure KeyVault certificates as SSL for website

Hey folks!

I will continue with the same old story about deployment to the OnPremise environment. This time I want to tell you how we managed the favorite part of all teams — SSL certificates.

We have 2 cases:

1. Our development/testing environment (DNS available)
2. Closed(production) environment, DNSless— VPN

HTTPS with a domain name

In the case where we have the domain name, we just configured SSL certificate with certbot which is thousands of time described how to do it — https://certbot.eff.org/docs/using.html

HTTPS on IP address

The second case was much more interesting. How do we enable a secure connection in a private network?

What do we have:

• closed network (no access outside, so certbot can’t verify)
• no DNS (only IP address)
• Let’s Encrypt doesn’t issue certificates for IP addresses

To generate an SSL certificate for an IP address we decided to use Azure KeyVault.

Azure KeyVault — is secure storage for cryptographic keys and other secrets used by cloud apps and services.

So to have https://ip_address we will do next:

1. Create Azure KeyVault
2. Generate certificate
3. Download certificate
4. Use it on our Nginx configurations

Let’s dive.

Create Azure KeyVault

To create Azure KeyVault you can use this instruction — create KeyVault.

Generate certificate

To generate your certificate just follow the next steps:

Create certificate

Next step is to fill configurations:

In these configurations, there are a few important points to understand:

• Type of Certificate Authority
• Subject or X.500 Distinguished Names
• PKCS #12 vs PEM

Other things are up to you, as they are not obligatory to make our https on IP works, so I won’t cover them here.

As soon as our certificate is created, we have to be sure that it’s enabled:

Created and enabled certificate

Download PEM and CERT

Next steps are easy:

1. Download certificate
2. Modify to use as SSL
3. Integrate
4. Tests

To download the certificate in Azure KeyVault, just open it and press Download in PFX/PEM format

Now when we have our PEM file, we need also CERT file to integrate it with NGINX. This step I find quite stupid, but it works.

We open PEM file and we copy this part:

-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIQ.........
.......................vy75E=
-----END CERTIFICATE-----

and we save it as a separate *.cert file.

*.cert with *.pem

Integrate certificate with NGINX

This is the easiest part, as we just have to include the proper path to our certificate files like you do when you use certbot:

ssl_certificate /etc/ssl/https/keyvault_priv.cert;        ssl_certificate_key /etc/ssl/https/keyvault_priv_key.pem;

And all the magic works!

https://ip_address

That’s all folks!

We implemented https://ip_addresss. Now we have our connection to the IP address secured by SSL certificate and all clients can use our website without worries.

Trusted certificate

As soon as you succeded to achieve https on IP, you Web-browsers will show you this message:

Not trusted certificate

In Chrome it’s shown like this:

Not trusted certificate

Which is normal, as a certificate which we generated was not validated by the Trusted Authority.

This can be fixed during the creation of the certificate, with paying to Trusted Authority:

Thanks for reading!

If you have other errors during securing your connection or you are interested in another topic, please add comments and upvote 👍. We‘re interested in the dialog.