tags:

views:

1661

answers:

2
+2  Q: 

SSL on a single server for multiple web sites

Here is my scenario:

default website on IIS 6.0 is already protected by an SSL cert with common names covering the following:

domainname.com www.domainname.com

I have a new website on the same IIS server and need to protect it with an SSL cert with the following common name:

subdomainname.domainname.com (same domainname as default)

I do not have the freedom to add a new IP address to the server. Not an infrastructure friendly request for whatever reasons.

We also have our Exchange webmail protected by another cert on another server with:

webmail.domainname.com

I do not believe I can use a wildcard cert because exchange is on a different server, correct?

Whether I can or not use a wildcard server, how can I protect the new subdomain on the main IIS server with a new cert? Do I replace the cert on the default with the new common name representing the subdomain web site and the default web site common names. Can I assign the same cert on the same server with all common names needing protection to multiple websites on IIS 6.0?

Thanks for any help in getting this resolved.

+1  A: 

You are correct, you would need multiple signed certificates for your servers. Godaddy offers certs for single-servers only, AFAICT. DigiCert offers multi-domain, multi-server certificates. I've never used them, so I can't vouch for anything they offer, but it shows that what you want IS available in the marketplace.

Chris Kaminski  2009-05-19 14:49:30
Can I use a wildcard cert to cover both websites with different subdomains and the main domain on the same server?
Eddie  2009-05-19 15:17:06
Eddie - yes, but since the certs are keyed to a combination of hostname and IP address, you'd need two wildcard certs for a two machine configuration if you went the godaddy route.
Chris Kaminski  2009-05-20 14:07:39
+1  A: 

You can get a single cert and use it on multiple servers so long as the DNS entries map out to the correct servers.

Go Daddy offers several cert types and they don't make it clear how to deal with this issue.

Standard (Turbo) SSL 1 domain ~$30
Standard Multiple Domain (UCC) SSL Up to 5 Domains ~$90
Standard (Turbo) Wildcard SSL ~$200

Get the 5 domain cert with

domainname.com
www.domainname.com
subdomainname.domainname.com
webmail.domainname.com

all listed on the one cert. Complete the request on the server you started the request from then use the tools built into the windows servers to copy the cert from one server to another. Doing so doesn't remove it from the first server and adds it to the second.

I did this not too long ago. My Web server is 2008 and the mail server is 2003. In that combination I had to export as a .pfx file and then import the .pfx. If you do it from 2003 to 2003 you may be able to use the copy from another server option and save manually moving the exported file around.

In my case the cert mentions "Certificate Subject Alt Name" with

Not Critical
DNS Name: www.adomain.com
DNS Name: adomain.com
DNS Name: www.adomain.com
DNS Name: mail.adomain.com

Looks like one of those lines is a duplicate but hey it works. I don't know why the cert uses the terminology of "Not Critical" to head that section.

IIS won't let you put two sites on the same IP/port combo but it will let you put the same SSL on two different sites. The secondary site will have to use something other than 443 if you don't have the option of using a different IP address.

pplrppl  2009-05-22 18:53:07

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL