---

@chamel123 wrote:

I'm not as familiar with certificate and openssl as I'd like. Since my certificate is a CA (LestEncrypt) wildcard cert (*.mydomain,com) do you think I can alter the one I have to include the IP? It's already sign by a CA. In the meantime, I think I'm overdue for an openssl crash course. Anyway, tx for your reply 

---

You would need to get a new cert signed by the CA. There isn't a way to add the IP option to the cert you already have - it is added by the CA at the time of the cert being signed. It's added in the "Subject Alternative Name" field of the certificate, using the notation IP:w.x.y.z

Also, I don't necessarily recommend using LetsEncrypt for a device cert, simply because the certs from LetsEncrypt typically expire every 3 months, and there is no automatic way to have the Cisco device update it. You will have to manually request a new cert from LetsEncrypt, then manually log in to the Cisco device and upload it.

Dear @train_wreck ,

we were thinking of adding the Let'sEncrypt agent to the router. In addition to what you are saying I am not certain if it will fix the issue with the IP address versus domain name. I.e. I believe ( but are not sure ) that Let's Encrypt certifies servers which are reachable on the internet not really certs for internal use.

A nice solution to this problem would be to be able to define the redirected page with the FQDN. A CLI access to the router would probably permit the user to change this.