Solved

Install same SSL certificate on internal IIS server as is installed on external website shopping cart?

Posted on 2012-03-23
15
507 Views
Last Modified: 2012-04-23
We have an ERP system that has web services to facilitate custom built websites. Part of the process of installing web services was setting up IIS with an SSL certificate.

Since we bought a shopping cart product that is hosted outside the company and would need to pass credit card information along with order information to the ERP system from the website I was wondering if the same SSL certificate has to be installed on both sides?

Or do we need two different SSL certificates and they would still work together in securing transaction communications?
0
Comment
Question by:ETdude
  • 6
  • 5
  • 4
15 Comments
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 140 total points
ID: 37757767
If they are on the same server, the same SSL can be used for both the websites (as long as the link is the same).

SSL Certificates are created per machine basis.
0
 

Author Comment

by:ETdude
ID: 37757910
Our ERP server is inside the company. The shopping cart is on server hosted by outside company.

It was my understanding that SSL is associated with a domain and not per machine.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37757917
When we change servers, we usually create a new certreq for the new server.
0
 

Author Comment

by:ETdude
ID: 37758037
I am not changing servers. simply trying to understand the SSL relationship between an outside website that sends order data to an inside application.
0
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 140 total points
ID: 37758094
SSLs are independent of inside / outside. Changing servers was just to explain my reasoning.

The SSL would be different and the domain would need to be different as the same A Record cannot point to two different IP addresses.

To summarise, The two servers would need two separate SSLs or a single wildcard SSL for two servers - pretty expensive option.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 210 total points
ID: 37759555
You can associate an SSL certificate with a IPaddres/Port pair.  
What happens is this:
a system is configured with a FWDN hostname (or URL entered in a browser_,
the name is resolved to an IP address,.
This IP address is connected and presents the certificate (with some domain name).

The certificate domain name is compared to the FQDN hostname (and the remainder of the certificate) is checked for validity if there is a match then the connect is accepted.
(and with a browser, the request is sent with a Host: FQDNhostname  header) .

You can use ANY certificate you like if the signing CA certificate is in the authorized certificate store. So you can create your own chain for private needs.
Also you can select the right names for the servers so that they match on some certificate.
0
 

Author Comment

by:ETdude
ID: 37760077
I am not creating SSL certificates as that appears to be another project in of itself that I don't want to get into.

I already purchased SSL certificates and simply want to know if I must or can use the same SSL certificate on both inside IIS server as the one I gave to the hosting company to install for our website in order for the entire transmission from website hosted outside to application hosted inside to be secured within SSL.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37760173
As advised, unless its a wildcard SSL, you can't install it.

Try it and it will give you an error during binding the SSL
0
 
LVL 39

Expert Comment

by:noci
ID: 37760216
Technically it will only work if the DNS name of both systems are the same, wich would give more headaches than separate certificates give.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37762333
If they are in two separate locations, their IP Addresses would be different, how would you have the same hostname?
0
 
LVL 39

Expert Comment

by:noci
ID: 37763585
Dont try this, unless you are at home ;-)...
You need more than one DNS server, different setups for resolving and they shouldn't get mixed up... [ or mix hostfiles into this mix for some more spice ].

BTW, certificates are NOT ip address based. The only hold a FQDN or Wildcard spec.
The circle closes because you specify a certificate for a port that is bound to  some IP address. And a DNS server holds a translation from a FQDN -> IP address.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37764631
Hi Noci,

I believe that's exactly what I have been going on about for the last couple of days but not getting through.
0
 
LVL 39

Accepted Solution

by:
noci earned 210 total points
ID: 37766046
Disclaimer:
For security build your own CA management (for Windows is is available on Domain controllers (i am no windows user so I can't really tell you). With OpenSSH there is a perl script (CA.pl)  that can manage certificate requests & signing. [ technicaly it's easy,  managing a set  certification processes/procedures for larger companies can be more trouble some though ].

That said:
See to it that host lookups on the originating router first uses the host file and then goes to DNS, (on Linux: nsswitch.conf, files should be mentioned first.)
Then add the internal host to the hostfile. Use the certificate with the matching name on your internal server (preferebly on a relocated port...)
f.e. use 444 for this service and connect from your external server to this 444 port...

beside the CA.pl tool there are:
tinyca: http://tinyca.sm-zone.net/
and
xca: http://www.hohnstaedt.de/xca.html

btw, the warranty on this advise expired when you started reading it.
0
 

Author Comment

by:ETdude
ID: 37798685
Is there a way to test that data is being secured within SSL from originating point to end point?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 210 total points
ID: 37799723
That's what SSL + certificates are for, to ensure the both ends of a connection are who they tell who they are.
And that the connection is confidential.  If parts of the system fail [ like CA certificates being easily forgable malaysian CA ] or created by breakins in CA's [ Diginotar, and others see recent news ] then there is the risk that some else can fake their identity.
The the proper solution would be to distrust any CA that got it's certificates misused [ That would lead to immediate bankruptcy of 5-6 MAJOR CA's, but it is what's done to Diginotar ]. Privately  distrusting CA's will only help until the next update to the trusted CA store by your browser provider.

The encryption can be influenced by selecting allowed methods, hashes etc.
Only allow SSL3 or TLS1 [ ssl2 allows man in the middle attacks ].
You can monitor the content of SSL links [ if you have the certificate ] with ssl dump: http://www.rtfm.com/ssldump/
You can obviously log all packets using wireshark, tcpdump et al. and see that the are encrypted.

You should think of SSL + x.509 as Trust management, with trust in it literal meaning.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now