views:

165

answers:

4

I've got an ssl certificate for what I think is my domain and I want to apply it to two separate applications in that domain that run under ASP classic in IIS on Windows 2000.

I have the following stupid questions:

  1. Are certificates issued for URLs or domains? Or subdomains?
  2. Can I use the same cert for multiple websites (applications) within that domain, or do I need a separate one?
  3. Can I inspect the cert file to determine for what or to whom it's issued?

Thanks!

+1  A: 
  1. They are issued for domains. Subdomains require their own certs. You can buy a special wildcard cert for your domain that lets you create certs for your subdomains, but they are more expensive.

  2. If you buy a cert for mydomain.com, you can use it for anything that starts with https://mydomain.com/

  3. Yes. You can do this for any certs. check out the lock icon in your browser's address bar.

Lance Fisher
+2  A: 

1) Web certs are issued to a domain. Specifically the CN attribute of the certificate must match the domain used to access your site.

2) Certs are usually install per host (or virtual host). If you had cert for the domain wwwapps.domain.tld you could have one app at /calendar, and one app at /contacts.

3) Yes, depending on the format and where it is, this can be easy or hard. If you have a crt file and you are running under windows, just click on it. You should see the details.

If you want to inspect a certificate that is installed on a site, you usually have to click on the padalock icon.

On windows you can also open up the MMC, add the certificate snapin and see any/all installed certificates on the local machine, or your profile.

Zoredache
A: 

It's usually issued to a single web server host (basically a computer cname or a record) like foo.bar.com where foo is one name for the host which the certificate request was generated for and bar.com is its domain.

Thus it will work for any application or virtual directory that responds to https://foo.bar.com - like https://foo.bar.com/planner/ - but nothing more.

For https://*.bar.com you can get a wildcard certificate that lets you handle any number of hosts without any hassel - at a greater cost.

There are also multiple-SAN (UCC) certificates that can contain a specific number of host names in a single certificate like webmail.bar.com and autodiscover.bar.com for an Exchange 2007 server serving both web access and Outlook Anywhere from the same physical machine and NIC.

If it's in .cer format simply opening it in Windows will show the details, if it's a pfx or in some other transport format you'd need to import it.

You basically install the certificate on a Web Site node in IIS and anything you can fit beneath that (or modify using a modern firewall in front of it to still respond to the issued common name foo.bar.com) will work.

Oskar Duveborn
A: 

Thanks! I enabled port 443 for the site at the domain on the cert, loaded the cert via directory security in IIS for each subfolder, and enabled 128-bit encryption. Worked like a champ!

Caveatrob