can't install (UCC) SLL cert on multiple servers. IIS, SSL

Ok so we purchased some SLL [Multiple Domain (UCC)] from GoDaddy

I was successfully able to install the cert on 1 server, then i was not on any others.

When i called in for support the guy said we have to export it from the original server and import it into the other servers we want.

Can someone walk me through this process.

Thanks.
Using IIS
LVL 5
funnymanmikeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Basically, when you create the Certificate Signing Request (CSR) file, you generate the public & private key pair at that time.  You need to install the certificate on that same box so it can match itself up with that key pair.  You will need to export the certificate and include both the public and private keys in order for things to work on other servers that are listed in your UCC cert.

From the original server:
Open IIS - go into properties of the site that has it installed, e.g. Default First Site
Directory Security tab - click Server Certificate button
Follow the wizard - you can choose to either export it to a .pfx file or to copy (not move) to another server.

If you do the pfx, move it to a USB drive (i.e. take it off the hard drive instead of just copying it) and install from that onto your other web servers from the same area and point it to the pfx file.  Now you have it installed and backed up on the USB drive - keep the USB drive in a static bag and locked up - that cert represents the validity of your websites, don't stick it on your USB drive on your keychain!
0
funnymanmikeAuthor Commented:
i followed your instructions

i downloaded the cert from godady
ran certificats to install the p7b file
ran iis to setup the ssl
confirmed that site was working with no issues
eported the pfx file to a network drive
went to server 2, nstall the pfx import
website2 still generating certificate issues
installed the p7b file on website 2
website2 still generating certificate issues

i am making no progress here
0
ParanormasticCryptographic EngineerCommented:
Just to confirm the following:
1) You are typing in a name that matches on the UCC certificate - view the certificate and check Details tab to verify that the cert contains what you think it should in Subject Name and Subject Alternate Name fields.  I.e. you aren't using localhost or something like that to hit it from the internal vs. external name.

2) The certificate warning message - what is the error message?  I am working under the assumption that it is the name mismatch, not the trust or validity messages.  If is the trust message, check the name o the Issuer on the details tab and make sure that matches exactly to the name of the bottom CA in the chain that you installed as p7b.  GoDaddy has multiple Ca's that they issue through.  Maybe you just happened to already have the right one on serverA from MS root update that might not have been applied to serverB or something.

3) When you try importing the p7b, choose to manually place it and browse... - enable checkbox for Show Physical Stores, then point to Trusted Root Certificates.  Try this on the server.  I don't think you need to for client as you say it works ok for the other...
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

funnymanmikeAuthor Commented:
1) i don't know what you mean? are you talking about online where the certificate resides? or the password that was required to copy it from one server to another?

2) see code snipit
 


There is a problem with this website's security certificate. 
 
   
 The security certificate presented by this website was issued for a different website's address.
 
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information 
 
 
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting. 
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com. 
If you choose to ignore this error and continue, do not enter private information into the website. 
 
For more information, see "Certificate Errors" in Internet Explorer Help.
 

Open in new window

0
ParanormasticCryptographic EngineerCommented:
The name that you type into the address bar matches exactly what is in the UCC cert.  If you have the cert for ServerB.domain.com you need to type that in, not just ServerB or localhost as these would not match up correctly.

Looks like it is what I figured for the warning - name mismatch.  We should focus on the cert itself and how it is being referred - the root chain (p7b) should be fine since it wasn't mentioned in the warning.
0
funnymanmikeAuthor Commented:
i went back to the go daddy site to add the name, i am jsut waiting on the approval of that.
0
funnymanmikeAuthor Commented:
i was unable to achieve this. so i refunded the 5 domain certificate and just bought 3 single site certificates

all installed with no issues.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.