Ummmmm.....
I think it is more like you never used SANS in certificates before Exchange
2007, bud...
- RFC 3280 has been out since 2002.
- Windows Server 2003 PKI used SANs extensively for smart cards, DC certs
and others
Brian
"Robertss" <webmaster@sslshopper.com> wrote in message
news:22b053ae-92a2-4c33-8dc1-c61c151770c9@k10g2000prm.googlegroups.com...
Certificates with SAN names are typically created with the Exchange
2007 Management Shell. (
http://www.digicert.com/csr-creation-microsoft-
unified-communications.htm) This is because SANs weren't commonly used
before Exchange 2007 started using them. If you have Exchange 2007,
you can generate the cert and after installing it, assign it to be
used by an IIS website.
However, most CAs allow you to generate a normal CSR in IIS and then
add the additional SAN names during the ordering process. If you are
looking for a commerical certificate, you can compare SAN/UC
certificates here:
http://www.sslshopper.com/unified-communic...rtificates.html
Robert
On Apr 24, 6:52 am, Bob <B...@discussions.microsoft.com> wrote:<span style="color:blue">
> The SAN seems like the way to go from reading up on a description of it.
>
> Thanks very much for the information! Now to research the implementation
> part!
>
> Have a great day and thanks again!
>
>
>
> "Dobromir Todorov" wrote:<span style="color:green">
> > Rather than allowing everything in a domain (which you can't don) you
> > are
> > better off enumerating all the FQDNs that you want users to be able to
> > access, and then including them in the certificate Subject Alternative
> > Name
> > field (or even as multiple CNs in the Subject field).</span>
><span style="color:green">
> > --
> > ---
> > HTH,
> > Dobromir</span>
><span style="color:green">
> > Learn more about Security and Identity Management:
> > Visithttp://www.iamechanics.com</span>
><span style="color:green">
> > "Bob" <B...@discussions.microsoft.com> wrote in message
> >news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...<span style="color:darkred">
> > >I have a web site on an internal iis 6.0 server. Some users use the
> > >host
> > > header name of the website with the domain attached and some connect
> > > without:</span></span>
><span style="color:green"><span style="color:darkred">
> > > for example:</span></span>
><span style="color:green"><span style="color:darkred">
> > > https:internal vs https:internal.company.com</span></span>
><span style="color:green"><span style="color:darkred">
> > > I have anSSLcertificate that has the host header name and those that
> > > connect without the domain connect straight through, no errors. If
> > > they
> > > use
> > > the https:internal.company.com however they get a certificate error
> > > as
> > > the
> > > name is different then the certifcate. I can change the certificate to
> > > include the domain but then the host header name by itself gives the
> > > error.</span></span>
><span style="color:green"><span style="color:darkred">
> > > is there a way to allow both to work without a certificate error?</span></span>
><span style="color:green"><span style="color:darkred">
> > > I tried a spin on the wildcard certificate creating a request with
> > > "internal. " but that was no go as well. Do you need to "turn anything
> > > on"
> > > to
> > > get IIS 6.0 to accept the " " maybe?</span></span>
><span style="color:green"><span style="color:darkred">
> > > Certificates authorized through an internal 2003 CA</span></span>
><span style="color:green"><span style="color:darkred">
> > > thanks- Hide quoted text -</span></span>
>
> - Show quoted text -</span>