Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 523
  • Last Modified:

Install same SSL certificate on internal IIS server as is installed on external website shopping cart?

We have an ERP system that has web services to facilitate custom built websites. Part of the process of installing web services was setting up IIS with an SSL certificate.

Since we bought a shopping cart product that is hosted outside the company and would need to pass credit card information along with order information to the ERP system from the website I was wondering if the same SSL certificate has to be installed on both sides?

Or do we need two different SSL certificates and they would still work together in securing transaction communications?
0
ETdude
Asked:
ETdude
  • 6
  • 5
  • 4
5 Solutions
 
Imtiaz HashamCommented:
If they are on the same server, the same SSL can be used for both the websites (as long as the link is the same).

SSL Certificates are created per machine basis.
0
 
ETdudeAuthor Commented:
Our ERP server is inside the company. The shopping cart is on server hosted by outside company.

It was my understanding that SSL is associated with a domain and not per machine.
0
 
Imtiaz HashamCommented:
When we change servers, we usually create a new certreq for the new server.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
ETdudeAuthor Commented:
I am not changing servers. simply trying to understand the SSL relationship between an outside website that sends order data to an inside application.
0
 
Imtiaz HashamCommented:
SSLs are independent of inside / outside. Changing servers was just to explain my reasoning.

The SSL would be different and the domain would need to be different as the same A Record cannot point to two different IP addresses.

To summarise, The two servers would need two separate SSLs or a single wildcard SSL for two servers - pretty expensive option.
0
 
nociSoftware EngineerCommented:
You can associate an SSL certificate with a IPaddres/Port pair.  
What happens is this:
a system is configured with a FWDN hostname (or URL entered in a browser_,
the name is resolved to an IP address,.
This IP address is connected and presents the certificate (with some domain name).

The certificate domain name is compared to the FQDN hostname (and the remainder of the certificate) is checked for validity if there is a match then the connect is accepted.
(and with a browser, the request is sent with a Host: FQDNhostname  header) .

You can use ANY certificate you like if the signing CA certificate is in the authorized certificate store. So you can create your own chain for private needs.
Also you can select the right names for the servers so that they match on some certificate.
0
 
ETdudeAuthor Commented:
I am not creating SSL certificates as that appears to be another project in of itself that I don't want to get into.

I already purchased SSL certificates and simply want to know if I must or can use the same SSL certificate on both inside IIS server as the one I gave to the hosting company to install for our website in order for the entire transmission from website hosted outside to application hosted inside to be secured within SSL.
0
 
Imtiaz HashamCommented:
As advised, unless its a wildcard SSL, you can't install it.

Try it and it will give you an error during binding the SSL
0
 
nociSoftware EngineerCommented:
Technically it will only work if the DNS name of both systems are the same, wich would give more headaches than separate certificates give.
0
 
Imtiaz HashamCommented:
If they are in two separate locations, their IP Addresses would be different, how would you have the same hostname?
0
 
nociSoftware EngineerCommented:
Dont try this, unless you are at home ;-)...
You need more than one DNS server, different setups for resolving and they shouldn't get mixed up... [ or mix hostfiles into this mix for some more spice ].

BTW, certificates are NOT ip address based. The only hold a FQDN or Wildcard spec.
The circle closes because you specify a certificate for a port that is bound to  some IP address. And a DNS server holds a translation from a FQDN -> IP address.
0
 
Imtiaz HashamCommented:
Hi Noci,

I believe that's exactly what I have been going on about for the last couple of days but not getting through.
0
 
nociSoftware EngineerCommented:
Disclaimer:
For security build your own CA management (for Windows is is available on Domain controllers (i am no windows user so I can't really tell you). With OpenSSH there is a perl script (CA.pl)  that can manage certificate requests & signing. [ technicaly it's easy,  managing a set  certification processes/procedures for larger companies can be more trouble some though ].

That said:
See to it that host lookups on the originating router first uses the host file and then goes to DNS, (on Linux: nsswitch.conf, files should be mentioned first.)
Then add the internal host to the hostfile. Use the certificate with the matching name on your internal server (preferebly on a relocated port...)
f.e. use 444 for this service and connect from your external server to this 444 port...

beside the CA.pl tool there are:
tinyca: http://tinyca.sm-zone.net/
and
xca: http://www.hohnstaedt.de/xca.html

btw, the warranty on this advise expired when you started reading it.
0
 
ETdudeAuthor Commented:
Is there a way to test that data is being secured within SSL from originating point to end point?
0
 
nociSoftware EngineerCommented:
That's what SSL + certificates are for, to ensure the both ends of a connection are who they tell who they are.
And that the connection is confidential.  If parts of the system fail [ like CA certificates being easily forgable malaysian CA ] or created by breakins in CA's [ Diginotar, and others see recent news ] then there is the risk that some else can fake their identity.
The the proper solution would be to distrust any CA that got it's certificates misused [ That would lead to immediate bankruptcy of 5-6 MAJOR CA's, but it is what's done to Diginotar ]. Privately  distrusting CA's will only help until the next update to the trusted CA store by your browser provider.

The encryption can be influenced by selecting allowed methods, hashes etc.
Only allow SSL3 or TLS1 [ ssl2 allows man in the middle attacks ].
You can monitor the content of SSL links [ if you have the certificate ] with ssl dump: http://www.rtfm.com/ssldump/
You can obviously log all packets using wireshark, tcpdump et al. and see that the are encrypted.

You should think of SSL + x.509 as Trust management, with trust in it literal meaning.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now