Guest Bob Posted April 23, 2008 Posted April 23, 2008 I have a web site on an internal iis 6.0 server. Some users use the host header name of the website with the domain attached and some connect without: for example: https:\\internal vs https:\\internal.company.com I have an SSL certificate that has the host header name and those that connect without the domain connect straight through, no errors. If they use the https:\\internal.company.com however they get a certificate error as the name is different then the certifcate. I can change the certificate to include the domain but then the host header name by itself gives the error. is there a way to allow both to work without a certificate error? I tried a spin on the wildcard certificate creating a request with "internal. " but that was no go as well. Do you need to "turn anything on" to get IIS 6.0 to accept the " " maybe? Certificates authorized through an internal 2003 CA thanks Quote
Guest Paul Adare Posted April 23, 2008 Posted April 23, 2008 On Wed, 23 Apr 2008 12:11:00 -0700, Bob wrote: <span style="color:blue"> > I tried a spin on the wildcard certificate creating a request with > "internal. " but that was no go as well. Do you need to "turn anything on" to > get IIS 6.0 to accept the " " maybe?</span> That's not the way wild carding works. It only works for the leftmost label. -- Paul Adare http://www.identit.ca Machine-independent: Does not run on any existing machine. Quote
Guest Dobromir Todorov Posted April 24, 2008 Posted April 24, 2008 Rather than allowing everything in a domain (which you can't don) you are better off enumerating all the FQDNs that you want users to be able to access, and then including them in the certificate Subject Alternative Name field (or even as multiple CNs in the Subject field). -- --- HTH, Dobromir Learn more about Security and Identity Management: Visit http://www.iamechanics.com "Bob" <Bob@discussions.microsoft.com> wrote in message news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...<span style="color:blue"> >I have a web site on an internal iis 6.0 server. Some users use the host > header name of the website with the domain attached and some connect > without: > > for example: > > https:\internal vs https:\internal.company.com > > I have an SSL certificate that has the host header name and those that > connect without the domain connect straight through, no errors. If they > use > the https:\internal.company.com however they get a certificate error as > the > name is different then the certifcate. I can change the certificate to > include the domain but then the host header name by itself gives the > error. > > is there a way to allow both to work without a certificate error? > > I tried a spin on the wildcard certificate creating a request with > "internal. " but that was no go as well. Do you need to "turn anything on" > to > get IIS 6.0 to accept the " " maybe? > > Certificates authorized through an internal 2003 CA > > thanks > </span> Quote
Guest Bob Posted April 24, 2008 Posted April 24, 2008 The SAN seems like the way to go from reading up on a description of it. Thanks very much for the information! Now to research the implementation part! Have a great day and thanks again! "Dobromir Todorov" wrote: <span style="color:blue"> > Rather than allowing everything in a domain (which you can't don) you are > better off enumerating all the FQDNs that you want users to be able to > access, and then including them in the certificate Subject Alternative Name > field (or even as multiple CNs in the Subject field). > > -- > --- > HTH, > Dobromir > > Learn more about Security and Identity Management: > Visit http://www.iamechanics.com > > "Bob" <Bob@discussions.microsoft.com> wrote in message > news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...<span style="color:green"> > >I have a web site on an internal iis 6.0 server. Some users use the host > > header name of the website with the domain attached and some connect > > without: > > > > for example: > > > > https:internal vs https:internal.company.com > > > > I have an SSL certificate that has the host header name and those that > > connect without the domain connect straight through, no errors. If they > > use > > the https:internal.company.com however they get a certificate error as > > the > > name is different then the certifcate. I can change the certificate to > > include the domain but then the host header name by itself gives the > > error. > > > > is there a way to allow both to work without a certificate error? > > > > I tried a spin on the wildcard certificate creating a request with > > "internal. " but that was no go as well. Do you need to "turn anything on" > > to > > get IIS 6.0 to accept the " " maybe? > > > > Certificates authorized through an internal 2003 CA > > > > thanks > > </span> > > > </span> Quote
Guest Robertss Posted April 27, 2008 Posted April 27, 2008 Certificates with SAN names are typically created with the Exchange 2007 Management Shell. (http://www.digicert.com/csr-creation-microsoft- unified-communications.htm) This is because SANs weren't commonly used before Exchange 2007 started using them. If you have Exchange 2007, you can generate the cert and after installing it, assign it to be used by an IIS website. However, most CAs allow you to generate a normal CSR in IIS and then add the additional SAN names during the ordering process. If you are looking for a commerical certificate, you can compare SAN/UC certificates here: http://www.sslshopper.com/unified-communic...rtificates.html Robert On Apr 24, 6:52Â am, Bob <B...@discussions.microsoft.com> wrote:<span style="color:blue"> > The SAN seems like the way to go from reading up on a description of it. > > Thanks very much for the information! Â Now to research the implementation > part! > > Have a great day and thanks again! > > > > "Dobromir Todorov" wrote:<span style="color:green"> > > Rather than allowing everything in a domain (which you can't don) you are > > better off enumerating all the FQDNs that you want users to be able to > > access, and then including them in the certificate Subject Alternative Name > > field (or even as multiple CNs in the Subject field).</span> ><span style="color:green"> > > -- > > --- > > HTH, > > Dobromir</span> ><span style="color:green"> > > Learn more about Security and Identity Management: > > Visithttp://www.iamechanics.com</span> ><span style="color:green"> > > "Bob" <B...@discussions.microsoft.com> wrote in message > >news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...<span style="color:darkred"> > > >I have a web site on an internal iis 6.0 server. Some users use the host > > > header name of the website with the domain attached and some connect > > > without:</span></span> ><span style="color:green"><span style="color:darkred"> > > > for example:</span></span> ><span style="color:green"><span style="color:darkred"> > > > https:internal vs https:internal.company.com</span></span> ><span style="color:green"><span style="color:darkred"> > > > I have anSSLcertificate that has the host header name and those that > > > connect without the domain connect straight through, no errors. If they > > > use > > > the https:internal.company.com however they get a certificate error as > > > the > > > name is different then the certifcate. I can change the certificate to > > > include the domain but then the host header name by itself gives the > > > error.</span></span> ><span style="color:green"><span style="color:darkred"> > > > is there a way to allow both to work without a certificate error?</span></span> ><span style="color:green"><span style="color:darkred"> > > > I tried a spin on the wildcard certificate creating a request with > > > "internal. " but that was no go as well. Do you need to "turn anything on" > > > to > > > get IIS 6.0 to accept the " " maybe?</span></span> ><span style="color:green"><span style="color:darkred"> > > > Certificates authorized through an internal 2003 CA</span></span> ><span style="color:green"><span style="color:darkred"> > > > thanks- Hide quoted text -</span></span> > > - Show quoted text -</span> Quote
Guest Brian Komar \(MVP\) Posted April 28, 2008 Posted April 28, 2008 Ummmmm..... I think it is more like you never used SANS in certificates before Exchange 2007, bud... - RFC 3280 has been out since 2002. - Windows Server 2003 PKI used SANs extensively for smart cards, DC certs and others Brian "Robertss" <webmaster@sslshopper.com> wrote in message news:22b053ae-92a2-4c33-8dc1-c61c151770c9@k10g2000prm.googlegroups.com... Certificates with SAN names are typically created with the Exchange 2007 Management Shell. (http://www.digicert.com/csr-creation-microsoft- unified-communications.htm) This is because SANs weren't commonly used before Exchange 2007 started using them. If you have Exchange 2007, you can generate the cert and after installing it, assign it to be used by an IIS website. However, most CAs allow you to generate a normal CSR in IIS and then add the additional SAN names during the ordering process. If you are looking for a commerical certificate, you can compare SAN/UC certificates here: http://www.sslshopper.com/unified-communic...rtificates.html Robert On Apr 24, 6:52 am, Bob <B...@discussions.microsoft.com> wrote:<span style="color:blue"> > The SAN seems like the way to go from reading up on a description of it. > > Thanks very much for the information! Now to research the implementation > part! > > Have a great day and thanks again! > > > > "Dobromir Todorov" wrote:<span style="color:green"> > > Rather than allowing everything in a domain (which you can't don) you > > are > > better off enumerating all the FQDNs that you want users to be able to > > access, and then including them in the certificate Subject Alternative > > Name > > field (or even as multiple CNs in the Subject field).</span> ><span style="color:green"> > > -- > > --- > > HTH, > > Dobromir</span> ><span style="color:green"> > > Learn more about Security and Identity Management: > > Visithttp://www.iamechanics.com</span> ><span style="color:green"> > > "Bob" <B...@discussions.microsoft.com> wrote in message > >news:F56B2D9A-E459-490F-A516-0885107E104B@microsoft.com...<span style="color:darkred"> > > >I have a web site on an internal iis 6.0 server. Some users use the > > >host > > > header name of the website with the domain attached and some connect > > > without:</span></span> ><span style="color:green"><span style="color:darkred"> > > > for example:</span></span> ><span style="color:green"><span style="color:darkred"> > > > https:internal vs https:internal.company.com</span></span> ><span style="color:green"><span style="color:darkred"> > > > I have anSSLcertificate that has the host header name and those that > > > connect without the domain connect straight through, no errors. If > > > they > > > use > > > the https:internal.company.com however they get a certificate error > > > as > > > the > > > name is different then the certifcate. I can change the certificate to > > > include the domain but then the host header name by itself gives the > > > error.</span></span> ><span style="color:green"><span style="color:darkred"> > > > is there a way to allow both to work without a certificate error?</span></span> ><span style="color:green"><span style="color:darkred"> > > > I tried a spin on the wildcard certificate creating a request with > > > "internal. " but that was no go as well. Do you need to "turn anything > > > on" > > > to > > > get IIS 6.0 to accept the " " maybe?</span></span> ><span style="color:green"><span style="color:darkred"> > > > Certificates authorized through an internal 2003 CA</span></span> ><span style="color:green"><span style="color:darkred"> > > > thanks- Hide quoted text -</span></span> > > - Show quoted text -</span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.