Using IP Addresses in Certificate Subject Names

Using an IP address in the ldap_uri option instead of the server name may cause the TLS/SSL connection to fail. TLS/SSL certificates contain the server name, not the IP address. However, the subject alternative name field in the certificate can be used to include the IP address of the server, which allows a successful secure connection using an IP address.

Convert an existing certificate into a certificate request. The signing key (-signkey) is the key of the issuer of whatever CA originally issued the certificate. If this is done by an external CA, it requires a separate PEM file; if the certificate is self-signed, then this is the certificate itself. For example:

openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem

With a self-signed certificate:

openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem

Edit the /etc/pki/tls/openssl.cnf configuration file to include the server's IP address under the [ v3_ca ] section:
```
subjectAltName = IP:10.0.0.10
```
Use the generated certificate request to generate a new self-signed certificate with the specified IP address:
```
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
```
The -extensions option sets which extensions to use with the certificate. For this, it should be v3_ca to load the appropriate section.
Copy the private key block from the old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.
When creating a certificate through the certutil utility provided by the nss-utils package, note that certutil supports DNS subject alternative names for certificate creation only.