Install SSL certicate that has a different hostname than server?

I have a customer that has an IBM Websphere server that he wants to enable SSL on.  The certificate that was ordered has a different name that the server name.  The customer cannot rename the server or order another certificate.  Is there a way to get this certificate installed without rebuilding the server or renaming it?
bdcworkAsked:
Who is Participating?
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
A registered SSL cert is certified by the vendor and is appointed to that server/domain name. If you were able to move the verified certificate to another server with a different name, then that would open up loop holes for running illegal sites with real certificates.
0
 
gmilhonCommented:
As part of cert verification browsers require the cert's CN to match the hostname. All you need to do is setup a DNS record to point to your server with the CN that was created. Example: if your servers IP address is 1.2.3.4 and the CN on the cert is server.domain.com, then setup a DNS record for server.domain.com to point to 1.2.3.4. IBM WAS doesn't care what the cert it, it will just present it back to the client. And the client ensures that the hostname entered for the URL matches the CN in the cert. If they don't match, the user will be prompted with a warning.
0
 
bdcworkAuthor Commented:
What if websphere won't accept the certificate into the keystore because the hostname is different?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
gmilhonCommented:
Websphere doesn't care about the hostname, you can just import the cert into your JKS (Java Key Store) using ikeyman, IBM's key manager. Then configure the WAS server to use that. You will also need to make sure you setup the virtual hosts to accept requests for your DNS name in the CN.
0
 
bdcworkAuthor Commented:
Do you have a code snippet or reference on how to have websphere use that keystore?  I still cannot import the cert because the host specified is different...
0
 
gmilhonCommented:
How are you trying to put the cert in the keystore? Are you using ikeyman? Please post the specific errors you are getting and how you are doing it.
0
 
bdcworkAuthor Commented:
The error I get is:

CWPKI0662E: Certificate with a public key matching the public key in the certificate from the Certificate Authority is not found in key store "WCServerKeyStore".
0
 
gmilhonCommented:
This isn't a problem with the hostname or CN. You need to import the root CA intermediate cert into your keystore if it isn't there already. The keystore needs to include the cert that your cert was signed with, this is called the root CA cert. You can d/l all the root CAs here: http://www.verisign.com/support/roots.html. From that ZIP, install all the certs you need that your cert was signed with.

If you need help in knowing which one to install in your keystore, you will need to post the cert chain for your cert. Or just post the public cert here.
0
 
bdcworkAuthor Commented:
I will try that out after the holiday...thanks....
0
 
gmilhonCommented:
Please let me know if you have any questions or can close this question out.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Is this issue resolved or still needs to be addressed?
http://www.experts-exchange.com/help.jsp#hi331
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.