internal ssl cert that works with domain and without

[Bob]

I have a web site on an internal iis 6.0 server. Some users use the host
header name of the website with the domain attached and some connect without:

for example:

https:\\internal vs https:\\internal.company.com

I have an SSL certificate that has the host header name and those that
connect without the domain connect straight through, no errors. If they use
the https:\\internal.company.com however they get a certificate error as the
name is different then the certifcate. I can change the certificate to
include the domain but then the host header name by itself gives the error.

is there a way to allow both to work without a certificate error?

I tried a spin on the wildcard certificate creating a request with
"internal.*" but that was no go as well. Do you need to "turn anything on" to
get IIS 6.0 to accept the "*" maybe?

Certificates authorized through an internal 2003 CA

thanks

 

[Paul Adare]

On Wed, 23 Apr 2008 12:11:00 -0700, Bob wrote:

> I tried a spin on the wildcard certificate creating a request with
> "internal.*" but that was no go as well. Do you need to "turn anything on" to
> get IIS 6.0 to accept the "*" maybe?

That's not the way wild carding works. It only works for the leftmost
label.

--
Paul Adare
http://www.identit.ca
Machine-independent: Does not run on any existing machine.

 

[Dobromir Todorov]

Rather than allowing everything in a domain (which you can't don) you are
better off enumerating all the FQDNs that you want users to be able to
access, and then including them in the certificate Subject Alternative Name
field (or even as multiple CNs in the Subject field).

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"Bob" wrote in message
news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...
>I have a web site on an internal iis 6.0 server. Some users use the host
> header name of the website with the domain attached and some connect
> without:
>
> for example:
>
> https:\internal vs https:\internal.company.com
>
> I have an SSL certificate that has the host header name and those that
> connect without the domain connect straight through, no errors. If they
> use
> the https:\internal.company.com however they get a certificate error as
> the
> name is different then the certifcate. I can change the certificate to
> include the domain but then the host header name by itself gives the
> error.
>
> is there a way to allow both to work without a certificate error?
>
> I tried a spin on the wildcard certificate creating a request with
> "internal.*" but that was no go as well. Do you need to "turn anything on"
> to
> get IIS 6.0 to accept the "*" maybe?
>
> Certificates authorized through an internal 2003 CA
>
> thanks
>

 

[Bob]

The SAN seems like the way to go from reading up on a description of it.

Thanks very much for the information! Now to research the implementation
part!

Have a great day and thanks again!









"Dobromir Todorov" wrote:

> Rather than allowing everything in a domain (which you can't don) you are
> better off enumerating all the FQDNs that you want users to be able to
> access, and then including them in the certificate Subject Alternative Name
> field (or even as multiple CNs in the Subject field).
>
> --
> ---
> HTH,
> Dobromir
>
> Learn more about Security and Identity Management:
> Visit http://www.iamechanics.com
>
> "Bob" wrote in message
> news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...
> >I have a web site on an internal iis 6.0 server. Some users use the host
> > header name of the website with the domain attached and some connect
> > without:
> >
> > for example:
> >
> > https:internal vs https:internal.company.com
> >
> > I have an SSL certificate that has the host header name and those that
> > connect without the domain connect straight through, no errors. If they
> > use
> > the https:internal.company.com however they get a certificate error as
> > the
> > name is different then the certifcate. I can change the certificate to
> > include the domain but then the host header name by itself gives the
> > error.
> >
> > is there a way to allow both to work without a certificate error?
> >
> > I tried a spin on the wildcard certificate creating a request with
> > "internal.*" but that was no go as well. Do you need to "turn anything on"
> > to
> > get IIS 6.0 to accept the "*" maybe?
> >
> > Certificates authorized through an internal 2003 CA
> >
> > thanks
> >
>
>
>

 

[Robertss]

Certificates with SAN names are typically created with the Exchange
2007 Management Shell. (http://www.digicert.com/csr-creation-microsoft-
unified-communications.htm) This is because SANs weren't commonly used
before Exchange 2007 started using them. If you have Exchange 2007,
you can generate the cert and after installing it, assign it to be
used by an IIS website.

However, most CAs allow you to generate a normal CSR in IIS and then
add the additional SAN names during the ordering process. If you are
looking for a commerical certificate, you can compare SAN/UC
certificates here: http://www.sslshopper.com/unified-communic...rtificates.html

Robert

On Apr 24, 6:52 am, Bob wrote:
> The SAN seems like the way to go from reading up on a description of it.
>
> Thanks very much for the information!  Now to research the implementation
> part!
>
> Have a great day and thanks again!
>
>
>
> "Dobromir Todorov" wrote:
> > Rather than allowing everything in a domain (which you can't don) you are
> > better off enumerating all the FQDNs that you want users to be able to
> > access, and then including them in the certificate Subject Alternative Name
> > field (or even as multiple CNs in the Subject field).
>
> > --
> > ---
> > HTH,
> > Dobromir
>
> > Learn more about Security and Identity Management:
> > Visithttp://www.iamechanics.com
>
> > "Bob" wrote in message
> >news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...
> > >I have a web site on an internal iis 6.0 server. Some users use the host
> > > header name of the website with the domain attached and some connect
> > > without:
>
> > > for example:
>
> > > https:internal vs https:internal.company.com
>
> > > I have anSSLcertificate that has the host header name and those that
> > > connect without the domain connect straight through, no errors. If they
> > > use
> > > the https:internal.company.com however they get a certificate error as
> > > the
> > > name is different then the certifcate. I can change the certificate to
> > > include the domain but then the host header name by itself gives the
> > > error.
>
> > > is there a way to allow both to work without a certificate error?
>
> > > I tried a spin on the wildcard certificate creating a request with
> > > "internal.*" but that was no go as well. Do you need to "turn anything on"
> > > to
> > > get IIS 6.0 to accept the "*" maybe?
>
> > > Certificates authorized through an internal 2003 CA
>
> > > thanks- Hide quoted text -
>
> - Show quoted text -

 

[Brian Komar \(MVP\)]

Ummmmm.....
I think it is more like you never used SANS in certificates before Exchange
2007, bud...
- RFC 3280 has been out since 2002.
- Windows Server 2003 PKI used SANs extensively for smart cards, DC certs
and others
Brian


"Robertss" wrote in message
news:22b053ae-92a2-4c33-8dc1-c61c151770c9@k10g2000prm.googlegroups.com...
Certificates with SAN names are typically created with the Exchange
2007 Management Shell. (http://www.digicert.com/csr-creation-microsoft-
unified-communications.htm) This is because SANs weren't commonly used
before Exchange 2007 started using them. If you have Exchange 2007,
you can generate the cert and after installing it, assign it to be
used by an IIS website.

However, most CAs allow you to generate a normal CSR in IIS and then
add the additional SAN names during the ordering process. If you are
looking for a commerical certificate, you can compare SAN/UC
certificates here:
http://www.sslshopper.com/unified-communic...rtificates.html

Robert

On Apr 24, 6:52 am, Bob wrote:
> The SAN seems like the way to go from reading up on a description of it.
>
> Thanks very much for the information! Now to research the implementation
> part!
>
> Have a great day and thanks again!
>
>
>
> "Dobromir Todorov" wrote:
> > Rather than allowing everything in a domain (which you can't don) you
> > are
> > better off enumerating all the FQDNs that you want users to be able to
> > access, and then including them in the certificate Subject Alternative
> > Name
> > field (or even as multiple CNs in the Subject field).
>
> > --
> > ---
> > HTH,
> > Dobromir
>
> > Learn more about Security and Identity Management:
> > Visithttp://www.iamechanics.com
>
> > "Bob" wrote in message
> >news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...
> > >I have a web site on an internal iis 6.0 server. Some users use the
> > >host
> > > header name of the website with the domain attached and some connect
> > > without:
>
> > > for example:
>
> > > https:internal vs https:internal.company.com
>
> > > I have anSSLcertificate that has the host header name and those that
> > > connect without the domain connect straight through, no errors. If
> > > they
> > > use
> > > the https:internal.company.com however they get a certificate error
> > > as
> > > the
> > > name is different then the certifcate. I can change the certificate to
> > > include the domain but then the host header name by itself gives the
> > > error.
>
> > > is there a way to allow both to work without a certificate error?
>
> > > I tried a spin on the wildcard certificate creating a request with
> > > "internal.*" but that was no go as well. Do you need to "turn anything
> > > on"
> > > to
> > > get IIS 6.0 to accept the "*" maybe?
>
> > > Certificates authorized through an internal 2003 CA
>
> > > thanks- Hide quoted text -
>
> - Show quoted text -