5

I have a public web server that's also extensively used from the LAN. We're standing up a Windows AD CA server for the LAN side but we'll also need a public SSL Certificate for the web server. The website url resolves to the interal ip on the LAN so I'm assuming I'll need to have both a public certificate and a lan certificate installed at the same time.

How can this be accomplished?

joshhemphill
  • 152
  • 6

3 Answers3

9

You can use single public certificate for both, external and internal clients. There is no need to use separate certificate for internal clients. Keep things simple.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
3

You can't use different certificates for the same website (*). Use a public certificate, internal clients will trust it just fine.

(*) There are workarounds, but they are quite cumberstome and you shouldn't use them unless absolutely required.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • 1
    Technically you can. You can bind a different certificate for each IP and With SNI you can use different certificate for each domain on the same IP. – yeya Jun 13 '19 at 21:01
  • 3
    @yeya As I was saying, there *are* workarounds :) You can have multiple websites hosting the same content on different IPs with different certificates, or you can use a reverse proxy to externally publish with a public certificate an internal web site which uses a private one. But my point was, unless you actually *need* different certificates for internal and external users, this is complex and useless. – Massimo Jun 13 '19 at 21:39
  • @Massimo, I may have to set up a L4 proxy at some point in the future to support differing content policies. If that becomes the case, would it just be a matter of using some command in a server block in nginx to choose which cert to serve? – joshhemphill Jun 14 '19 at 03:23
  • 1
    @Massimo: What defines whether e.g. TLS SNI is a "workaround" rather than full "ability"? – user1686 Jun 14 '19 at 06:46
  • 1
    @Robofan with a *reverse* proxy (not a *forward* one) you can expose a web site to the Internet using SSL termination, thus you can accept external connections *on the reverse proxy* using a public certificate, and then have the *proxy* connect to the internal web site which instead uses a private certificate. But if you are actually using a public certificate on the web site itself, you don't need such further complications. – Massimo Jun 14 '19 at 08:38
  • @grawity I know there are fully supported solutions to achieve that; I just used the term "workarounds" to mean they add more complexity and aren't actually needed unless you have a requirement to show different certificates to internal and external users. – Massimo Jun 14 '19 at 08:40
1

I would agree with the other comments that if a simpler setup works for you, go simple. But to answer your original question, you can have multiple site bindings - you would setup one with the internal IP address and internal certificate, and another with the external/DMZ IP and public certificate. I would also suggest defining a host name per binding and selecting the Require SNI checkbox (not checked below but should be).

IIS Site Bindings, https selected

mlhDev
  • 121
  • 2
  • While technically correct, your answer assumes that the server has two IP addresses, one internal and one external/DMZ; this is quite unusual for a web server. – Massimo Jun 14 '19 at 16:06
  • You’re right (though a public web server with a LAN-exposed direct route isn’t great practice), and now I read your comments and see you’ve already thoroughly discussed this. I don’t think I’ve added anything that hasn’t been said yet. – mlhDev Jun 15 '19 at 01:45