Confused about SSL certificates needed for Windows proxy

Question

I am completely new to security, and I'm confused about what kind and how many SSL certificates I need.

I have a REST API server running on a windows server 2012. It's currently listening to HTTP port 80. Since I'm going to implement token authentication for the mobile clients, I want to install the Web Application Proxy on my server, so that I can close port 80 and redirect HTTPS requests to my listener at port 80.

When I try to install the Web Application Proxy, it says it requires 1) a valid Federated Services server running on a different machine, and 2) an SSL certificate.

So I took a virtual machine and installed Active Directory and I was trying to install the FS service, when I found out that FS is asking for yet another SSL certificate.

So, do I need two SSL certificates, or a multi-subdomain SSL certificate? Are they the same type of certificate?

I'm confused about why you need a web application proxy? If your goal is to redirect users on port 80 to port 443, a web application proxy is not required for that? — k1DBLITZ, Mar 22 '15 at 22:51
Doesn't your REST API server support TLS directly? There is no need to make the system unnecessary complex by adding other parts. — Tero Kilkanen, Mar 23 '15 at 06:33
Hi Tero. No, my application does not support TLS directly - I'm developing it using C++ Casablanca, which has no TLS support. I understand it is normal to use a reverse proxy to handle HTTPS requests. That makes my application simpler, since it does not concern with transport. — André Arroyo Ruiz, Mar 23 '15 at 19:40
No, k1DBLITZ, my goal is not to redirect users to port 443. My goal is to have a port 443. That will be the external entry point, and the reverse proxy server will do the bridge with my API's port, which will be kept not accessible from outside the firewall. — André Arroyo Ruiz, Mar 23 '15 at 19:45

score 0 · Answer 1 · answered Mar 22 '15 at 18:11

0

Well, it seems I need one certificate, of wildcard or SAN type, according to this post. Then I should use the same certificate on both servers. It seems too complicated and too expensive, maybe I should look for a Linux proxy server instead...

answered Mar 22 '15 at 18:11

André Arroyo Ruiz

1

To avoid adding so much complexity and infrastructure, I will try to use Nginx as reverse proxy, instead of MS-WAP. – André Arroyo Ruiz Mar 23 '15 at 19:43

score 0 · Answer 2 · answered Aug 31 '15 at 23:28

You only need a SAN or wildcard certificate if you are trying to secure multiple sites with one SSL certificate. If you are doing SSL bridging, you will need two SSL cert licenses (not a SAN or wildcard), one for the proxy and one for Windows. If you are doing SSL off-loading, only one is needed on the proxy.

Confused about SSL certificates needed for Windows proxy

2 Answers2