tags:

views:

37

answers:

1
Q: 

Hosting someone elses SSL cert in IIS to allow https hosting on their domain from your own server

Currently customers have sites on my domain like https://customername.myapp.com. I'd like for them to be able to upload an SSL cert and then access my site via https://myappname.customername.com - how would one go about doing this programmatically in .NET/IIS 7?

bump

+1  A: 

So I might have an answer for you but it doesn't necessarily involve .NET/IIS 7.

I'm not quite sure what the end goal is here, but I'll take a stab at it. It sounds like you want customers to go customername.myappname.com and have it show myappname.customername.com's content? You don't simply want to redirect them? Do you have a trusted SSL certificate for myapp.com? If you do, then there's a way you can extend that trust to the myappname.customername.com websites.

Assuming your customers don't want to have to pay for SSL certificates for their websites, you could have them generate self-signed certificates (or create your own CA and sign their certificates) and upload them to your website. Then, using a combination of JavaScript and Flash you could do cross-domain requests from your website to theirs over SSL.

The way this would work:

A customer would go to your website myapp.com. From there (or from customername.myapp.com if you have a wildcard SSL certificate), they could login or just click on their name. Doing so would load a page with a JavaScript implementation of SSL, Flash swf, and the SSL certificate associated with that customer. Then the JavaScript SSL would do cross-domain ajax requests to the customer's site and show their content on myapp.com. This would enable a secure connection to their website via your website.

There's another bit of complexity that you might not be able to support in your use case, however. You need your customer's websites to be able to serve an XML file that contains a Flash cross-domain policy. This policy would specifically grant your site access to theirs.

The JavaScript TLS (SSL) and Flash you would host on your website are part of an opensource project called Forge. This blog post explains how it works in further detail and provides a link to Forge on github:

http://blog.digitalbazaar.com/2010/07/20/javascript-tls-1/

Most of this stuff is done using client-side JavaScript, but you'd use .NET/IIS 7 to provide your customers with the page to upload their SSL certificate.

dlongley  2010-07-22 17:00:45
What I would like to do is offer someone a hosted service that looks like its part of their site - i.e. https://myservice.yourcompany.com is actually hosted on my server. The customer would have paid for the cert, and would have sent it to me so that I can also use it on my subdomain.
mcintyre321  2010-07-22 18:21:22
You won't be able to use their certificate with your domain for two reasons:1. Their certificate will have their domain name in it, not yours, which will cause it to be rejected.2. You won't have their private key (which they should never give out to anyone). Their private key confirms they own the certificate and is used in the SSL protocol.Since I'm short on characters in this comment, I'll explain what you might be able to do in the next one.
dlongley  2010-07-22 18:47:41
You could buy an SSL certificate for your domain, you will only need one. Then you will need your customer's websites to serve up a page that includes the JavaScript and Flash from Forge along with some custom JavaScript you write to replace the content in the page using a cross-domain request to your site. You will also include, in that custom javascript, your certificate.The end result is that your site's content will show up on their website. And it will all be transferred securely.You should be able to test that this all works before buying a cert.
dlongley  2010-07-22 18:50:41
So, from their site, you do a cross-domain XmlHttpRequest via Forge to get https://myapp.com/customername. Then you replace a div in the page on their site with loaded content.Of course, now that I better understand your use case, you might be able to accomplish all of this with a simple iframe. Your customer's website could just put an iframe to your website on the appropriate page.It sounds like you were trying to avoid purchasing an SSL certificate? If you were, then...
dlongley  2010-07-22 19:00:21
...Forge is the way to go. You could generate a self-signed certificate for your website and include that with the custom javascript described above so that it is trusted by Forge.The only downside is that if anyone goes to your website directly (not through a customer's website) their browser will present them with a warning. If you're ok with that, then use Forge instead of the iframe solution.
dlongley  2010-07-22 19:04:01
Do I understand your use case correctly: You want customer websites to show your content, securely, without you having to buy an SSL certificate? If so, Forge is perfect for this and it sounds pretty cool.
dlongley  2010-07-22 19:07:20

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?