0

I want to offer our online services over HTTPS and am having a couple of problems understanding how to accomplish this. To access our services you must pass through our ISA firewall to a Win2000 server running IIS6. About half of our services are located here, and the other half take you to a Win2003 server also running IIS6. So, in order to achieve this must each server have the proper certificate installed? ISA, IIS6_1 and IIS6_2? Is there a separate configuration that must be made to our ISA firewall?

The other problem is with the CA and knowing how many certificates I need. It's important to note that the domain name for our services on IIS6_1 is www.example.com, but the domain name on IIS6_2 is services.example.com. I believe that this will require me to purchase more than one certificate. It looks as though we will be going with Thawte's SSL123 as it's a good name and it's fast to get. Will I need to purchase two certificates (one for www.example.com which will be installed on our ISA firewall as well as IIS6_1, and one for services.example.com on IIS6_2)? Or will I need to purchase three, the extra one being used on our firewall server?

Another side question is about SANs (subject alternative names). Is this basically adding sub-domains to your cert? So I could purchase one cert with one SAN for www. and services.?

TRiG
  • 1,181
  • 3
  • 13
  • 30
JohnyD
  • 1,614
  • 3
  • 20
  • 29

1 Answers1

3

You should probably purchase the 'wildcard' certificate for example.com This will allow you to issue valid certificates yourself for subdomains underneath example.com (e.g., both the ones you mentioned).

The wildcard certs are more expensive than individual certs, but allow you greater flexibility in the future.

As for the specific cert mappings, you'll need to load the certs for each particular web page onto the host that serves that page, and also into the ISA server's web publishing rules (the dialogs for certs are in the 'listener' objects).

SAN is a different thing in this context. They're used to add multiple different domain names to a single certificate (e.g., to add both example.com and example.net under a single cert). They are not as useful as a wildcard which gives you coverage of *.example.com.

TRiG
  • 1,181
  • 3
  • 13
  • 30
Chris Thorpe
  • 9,953
  • 23
  • 33
  • 1
    A wildcard certificate is only needed if you're operating on different subdomains. If all the servers are loadbalanced on the same domain name (CN) then you're going to face the same issue of having a certificate loaded for each one. The OP doesn't state whether or not they are though. – Mark Henderson Mar 23 '10 at 22:24
  • 1
    Second paragraph ;) – Chris Thorpe Mar 23 '10 at 23:13
  • 2nd paragraph actually says `The wildcard certs are more expensive than individual certs...` - anyhow the point of my comment was actually about the specific **need** for the wildcard, not loading them. Mind you op doesn't state if they all run on the same domain or not. – Mark Henderson Mar 23 '10 at 23:17
  • His second paragraph. Yes he does. – Chris Thorpe Mar 24 '10 at 01:10
  • 1
    He doesn't mention load balancing though: without multiple public IP addresses, he won't be able to host more than SSL site on 443. – gravyface Mar 24 '10 at 01:49
  • That's great news about the wildcard cert. However, I still may go with the SSL123 option as I can get the certs I need in 10 minutes. My boss didn't give me a whole lot of heads up for this implementation so 1-2 days is a stretch. Is it difficult to migrate from SSL123 certs to a single wildcard cert? And just to be clear, if I do go with the SSL123 option will I need 2 or three certificates? – JohnyD Mar 24 '10 at 11:42
  • After reviewing the problem further the wildcard certificate is definitely the way to go. ISA 2006's one certificate per web listener imposes a limitation which makes a wildcard much more appealing than the work involved in getting around it. Thanks everyone for your help. – JohnyD Mar 26 '10 at 12:50
  • A wildcard doesn't allow you to *issue* certs for subdomains. It just covers all subdomains itself. – TRiG Jul 22 '15 at 19:03