Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Install same SSL certificate on internal IIS server as is installed on external website shopping cart?

Posted on 2012-03-23
15
510 Views
Last Modified: 2012-04-23
We have an ERP system that has web services to facilitate custom built websites. Part of the process of installing web services was setting up IIS with an SSL certificate.

Since we bought a shopping cart product that is hosted outside the company and would need to pass credit card information along with order information to the ERP system from the website I was wondering if the same SSL certificate has to be installed on both sides?

Or do we need two different SSL certificates and they would still work together in securing transaction communications?
0
Comment
Question by:ETdude
  • 6
  • 5
  • 4
15 Comments
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 140 total points
ID: 37757767
If they are on the same server, the same SSL can be used for both the websites (as long as the link is the same).

SSL Certificates are created per machine basis.
0
 

Author Comment

by:ETdude
ID: 37757910
Our ERP server is inside the company. The shopping cart is on server hosted by outside company.

It was my understanding that SSL is associated with a domain and not per machine.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37757917
When we change servers, we usually create a new certreq for the new server.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:ETdude
ID: 37758037
I am not changing servers. simply trying to understand the SSL relationship between an outside website that sends order data to an inside application.
0
 
LVL 12

Assisted Solution

by:Imtiaz Hasham
Imtiaz Hasham earned 140 total points
ID: 37758094
SSLs are independent of inside / outside. Changing servers was just to explain my reasoning.

The SSL would be different and the domain would need to be different as the same A Record cannot point to two different IP addresses.

To summarise, The two servers would need two separate SSLs or a single wildcard SSL for two servers - pretty expensive option.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 210 total points
ID: 37759555
You can associate an SSL certificate with a IPaddres/Port pair.  
What happens is this:
a system is configured with a FWDN hostname (or URL entered in a browser_,
the name is resolved to an IP address,.
This IP address is connected and presents the certificate (with some domain name).

The certificate domain name is compared to the FQDN hostname (and the remainder of the certificate) is checked for validity if there is a match then the connect is accepted.
(and with a browser, the request is sent with a Host: FQDNhostname  header) .

You can use ANY certificate you like if the signing CA certificate is in the authorized certificate store. So you can create your own chain for private needs.
Also you can select the right names for the servers so that they match on some certificate.
0
 

Author Comment

by:ETdude
ID: 37760077
I am not creating SSL certificates as that appears to be another project in of itself that I don't want to get into.

I already purchased SSL certificates and simply want to know if I must or can use the same SSL certificate on both inside IIS server as the one I gave to the hosting company to install for our website in order for the entire transmission from website hosted outside to application hosted inside to be secured within SSL.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37760173
As advised, unless its a wildcard SSL, you can't install it.

Try it and it will give you an error during binding the SSL
0
 
LVL 40

Expert Comment

by:noci
ID: 37760216
Technically it will only work if the DNS name of both systems are the same, wich would give more headaches than separate certificates give.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37762333
If they are in two separate locations, their IP Addresses would be different, how would you have the same hostname?
0
 
LVL 40

Expert Comment

by:noci
ID: 37763585
Dont try this, unless you are at home ;-)...
You need more than one DNS server, different setups for resolving and they shouldn't get mixed up... [ or mix hostfiles into this mix for some more spice ].

BTW, certificates are NOT ip address based. The only hold a FQDN or Wildcard spec.
The circle closes because you specify a certificate for a port that is bound to  some IP address. And a DNS server holds a translation from a FQDN -> IP address.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 37764631
Hi Noci,

I believe that's exactly what I have been going on about for the last couple of days but not getting through.
0
 
LVL 40

Accepted Solution

by:
noci earned 210 total points
ID: 37766046
Disclaimer:
For security build your own CA management (for Windows is is available on Domain controllers (i am no windows user so I can't really tell you). With OpenSSH there is a perl script (CA.pl)  that can manage certificate requests & signing. [ technicaly it's easy,  managing a set  certification processes/procedures for larger companies can be more trouble some though ].

That said:
See to it that host lookups on the originating router first uses the host file and then goes to DNS, (on Linux: nsswitch.conf, files should be mentioned first.)
Then add the internal host to the hostfile. Use the certificate with the matching name on your internal server (preferebly on a relocated port...)
f.e. use 444 for this service and connect from your external server to this 444 port...

beside the CA.pl tool there are:
tinyca: http://tinyca.sm-zone.net/
and
xca: http://www.hohnstaedt.de/xca.html

btw, the warranty on this advise expired when you started reading it.
0
 

Author Comment

by:ETdude
ID: 37798685
Is there a way to test that data is being secured within SSL from originating point to end point?
0
 
LVL 40

Assisted Solution

by:noci
noci earned 210 total points
ID: 37799723
That's what SSL + certificates are for, to ensure the both ends of a connection are who they tell who they are.
And that the connection is confidential.  If parts of the system fail [ like CA certificates being easily forgable malaysian CA ] or created by breakins in CA's [ Diginotar, and others see recent news ] then there is the risk that some else can fake their identity.
The the proper solution would be to distrust any CA that got it's certificates misused [ That would lead to immediate bankruptcy of 5-6 MAJOR CA's, but it is what's done to Diginotar ]. Privately  distrusting CA's will only help until the next update to the trusted CA store by your browser provider.

The encryption can be influenced by selecting allowed methods, hashes etc.
Only allow SSL3 or TLS1 [ ssl2 allows man in the middle attacks ].
You can monitor the content of SSL links [ if you have the certificate ] with ssl dump: http://www.rtfm.com/ssldump/
You can obviously log all packets using wireshark, tcpdump et al. and see that the are encrypted.

You should think of SSL + x.509 as Trust management, with trust in it literal meaning.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL checker internal 4 84
Sweet32 Vulnerability in Microsoft IIS7.5 6 969
business account would work but I have a regular paypal account 2 100
Review of a VPN cert policy 4 43
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question