Install same SSL certificate on internal IIS server as is installed on external website shopping cart?

We have an ERP system that has web services to facilitate custom built websites. Part of the process of installing web services was setting up IIS with an SSL certificate.

Since we bought a shopping cart product that is hosted outside the company and would need to pass credit card information along with order information to the ERP system from the website I was wondering if the same SSL certificate has to be installed on both sides?

Or do we need two different SSL certificates and they would still work together in securing transaction communications?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Imtiaz HashamTechnical Director / IT ConsultantCommented:
If they are on the same server, the same SSL can be used for both the websites (as long as the link is the same).

SSL Certificates are created per machine basis.
ETdudeAuthor Commented:
Our ERP server is inside the company. The shopping cart is on server hosted by outside company.

It was my understanding that SSL is associated with a domain and not per machine.
Imtiaz HashamTechnical Director / IT ConsultantCommented:
When we change servers, we usually create a new certreq for the new server.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

ETdudeAuthor Commented:
I am not changing servers. simply trying to understand the SSL relationship between an outside website that sends order data to an inside application.
Imtiaz HashamTechnical Director / IT ConsultantCommented:
SSLs are independent of inside / outside. Changing servers was just to explain my reasoning.

The SSL would be different and the domain would need to be different as the same A Record cannot point to two different IP addresses.

To summarise, The two servers would need two separate SSLs or a single wildcard SSL for two servers - pretty expensive option.
nociSoftware EngineerCommented:
You can associate an SSL certificate with a IPaddres/Port pair.  
What happens is this:
a system is configured with a FWDN hostname (or URL entered in a browser_,
the name is resolved to an IP address,.
This IP address is connected and presents the certificate (with some domain name).

The certificate domain name is compared to the FQDN hostname (and the remainder of the certificate) is checked for validity if there is a match then the connect is accepted.
(and with a browser, the request is sent with a Host: FQDNhostname  header) .

You can use ANY certificate you like if the signing CA certificate is in the authorized certificate store. So you can create your own chain for private needs.
Also you can select the right names for the servers so that they match on some certificate.
ETdudeAuthor Commented:
I am not creating SSL certificates as that appears to be another project in of itself that I don't want to get into.

I already purchased SSL certificates and simply want to know if I must or can use the same SSL certificate on both inside IIS server as the one I gave to the hosting company to install for our website in order for the entire transmission from website hosted outside to application hosted inside to be secured within SSL.
Imtiaz HashamTechnical Director / IT ConsultantCommented:
As advised, unless its a wildcard SSL, you can't install it.

Try it and it will give you an error during binding the SSL
nociSoftware EngineerCommented:
Technically it will only work if the DNS name of both systems are the same, wich would give more headaches than separate certificates give.
Imtiaz HashamTechnical Director / IT ConsultantCommented:
If they are in two separate locations, their IP Addresses would be different, how would you have the same hostname?
nociSoftware EngineerCommented:
Dont try this, unless you are at home ;-)...
You need more than one DNS server, different setups for resolving and they shouldn't get mixed up... [ or mix hostfiles into this mix for some more spice ].

BTW, certificates are NOT ip address based. The only hold a FQDN or Wildcard spec.
The circle closes because you specify a certificate for a port that is bound to  some IP address. And a DNS server holds a translation from a FQDN -> IP address.
Imtiaz HashamTechnical Director / IT ConsultantCommented:
Hi Noci,

I believe that's exactly what I have been going on about for the last couple of days but not getting through.
nociSoftware EngineerCommented:
For security build your own CA management (for Windows is is available on Domain controllers (i am no windows user so I can't really tell you). With OpenSSH there is a perl script (  that can manage certificate requests & signing. [ technicaly it's easy,  managing a set  certification processes/procedures for larger companies can be more trouble some though ].

That said:
See to it that host lookups on the originating router first uses the host file and then goes to DNS, (on Linux: nsswitch.conf, files should be mentioned first.)
Then add the internal host to the hostfile. Use the certificate with the matching name on your internal server (preferebly on a relocated port...)
f.e. use 444 for this service and connect from your external server to this 444 port...

beside the tool there are:

btw, the warranty on this advise expired when you started reading it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ETdudeAuthor Commented:
Is there a way to test that data is being secured within SSL from originating point to end point?
nociSoftware EngineerCommented:
That's what SSL + certificates are for, to ensure the both ends of a connection are who they tell who they are.
And that the connection is confidential.  If parts of the system fail [ like CA certificates being easily forgable malaysian CA ] or created by breakins in CA's [ Diginotar, and others see recent news ] then there is the risk that some else can fake their identity.
The the proper solution would be to distrust any CA that got it's certificates misused [ That would lead to immediate bankruptcy of 5-6 MAJOR CA's, but it is what's done to Diginotar ]. Privately  distrusting CA's will only help until the next update to the trusted CA store by your browser provider.

The encryption can be influenced by selecting allowed methods, hashes etc.
Only allow SSL3 or TLS1 [ ssl2 allows man in the middle attacks ].
You can monitor the content of SSL links [ if you have the certificate ] with ssl dump:
You can obviously log all packets using wireshark, tcpdump et al. and see that the are encrypted.

You should think of SSL + x.509 as Trust management, with trust in it literal meaning.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.