←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 3 comments | 01 Apr 18 12:14 UTC | HN request time: 0.667s | source
1. RKearney ◴[01 Apr 18 18:08 UTC] No.16729604[source]
How was Cloudflare able to get a wildcard certificate with IP Address SANs added to it? How do I obtain one from DigiCert because I don't see the option on their site.
replies(1): >>16729699 #
2. prdonahue ◴[01 Apr 18 18:25 UTC] No.16729699[source]
Fun fact: they had never issued an IPv6 SAN before (which Safari fails to validate due to a bug).

Try browsing to https://[2606:4700:4700::1111] with desktop Safari. (It's a known issue and we're working with Apple to get it fixed.)

replies(1): >>16729999 #
3. RKearney ◴[01 Apr 18 19:34 UTC] No.16729999[source]
I understand that, and I've had to use the IPv6 address since Comcast is null routing 1.1.1.1 in my area, but that doesn't explain how a wildcard certificate was issued with IP addresses in the SAN.

Am I able to buy one for my own website? If so, how? If not, why not? I couldn't even get past the DigiCert cert selection page since a wildcard cert can't have SANs, and a SAN cert can't contain a wildcard. The only thing I haven't tried yet is supplying my own CSR.