[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

Specify local name as well as internet name in cert

I am generating a CSR on 2008R2, the CSR is for a website that is accessed internally as https://program and externally as program.mydomain.com I am unsure of how I get the local name into the CSR as when generating it I only have the option for one common name.
0
Sid_F
Asked:
Sid_F
  • 7
  • 7
  • 6
  • +1
1 Solution
 
Sushil SonawaneCommented:
If you create the certificate through CA then please refer below link.

(http://blogs.microsoft.co.il/blogs/roneng/archive/2008/03/20/create-certificate-for-exchange-2007-servers-using-windows-ca.aspx)

Or if you create the certificate through Exchange power shell then please refer below link

(http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates.html)

Through Exchange EMC to create the certificate :

(http://technet.microsoft.com/en-us/library/dd351057.aspx#shell)
0
 
nociSoftware EngineerCommented:
What you are looking for is called subject alternative name [ SAN ].
Then you can specify multiple names that are certified using the certificate.
Not that a CA needs to be able verify a domain name and if your internal domains are .local that cannot be done.
0
 
Dave HoweCommented:
noci is correct.

For ease of use, I usually use xca (http://sourceforge.net/projects/xca) to generate a CSR and then submit it to whichever CA is being used for signing :)
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Sid_FAuthor Commented:
Just to clarify and give more details. My internal domain name is company.local and external is company.com I have a service running on a server http://server/webaccess I plan to create a dns alias so users just need to type http://webaccess and they get to it. They will use http://webaccess.company.com externally.

I need to implement https and employ an external certificate authority so when the user goes to https://webaccess internally they will not get an error and externally as https://webaccess.mycompnay.com 

Firstly is this possible? what is the easiest way to do this.
0
 
Sid_FAuthor Commented:
The Cert is for IIS 7 not exchange
0
 
nociSoftware EngineerCommented:
then you need to give:

webaccess.mycompany.com, webaccess.local  as SAN, and use https://webaccess.local 

internally, you need to use FQDN as subject or SAN.
0
 
Sid_FAuthor Commented:
Ok so its possible. But what are the specific steps for doing this for IIS 7.
0
 
nociSoftware EngineerCommented:
You need to create a certificate request (CSR) and get that signed with some CA.

see also: http://www.windowsitpro.com/article/certificates/subject-alternative-certificate-143828

You can use xca an opensource certificate manager if you dont have one, or you can use the windows certificate manager role in windows server's
0
 
Sid_FAuthor Commented:
I'm looking for a step by step guide to installing this without having to enable more roles on the server. I would presume there should be some powershell command to do this?
0
 
Dave HoweCommented:
should be able to just import the PFX for it into the appropriate keystore using the mmc snapin.
0
 
nociSoftware EngineerCommented:
I have no idea if powershell suports this without adding  role...
x.509 certificates are binary lumps of cryptographical generated data.
For a certificate you need a
- a private key [ generated by request tool, either xca or certificate manager role ]
- a subject [ +optionaly alternate subjects, or wildcard ]
- identifying information [ Location of requester etc. ]
- create a CSR from the above +
- send CSR to some CA willing to sign .local certificates [ this is NOT the windows CA for a public visible server, for a private access server it can do this too ]
- receive the PFX / PEM / CRT file
- install the received file on servers

@DavidHowe, this is about the request not about implementing the resulting certificate.
the PFX contains a certificate + signature. (& optionaly the private key)
0
 
Dave HoweCommented:
@noci: I never trust the MS tools to get it right, I use XCA to generate the CSR (and if possible, sign it too - then just import the PFX :)
0
 
nociSoftware EngineerCommented:
I agree, but the IIS certificate CSR generator can't handle SAN. You need the MS Certificate manager for that. [ more or less Equivalent functionality to XCA ].
Personaly i have a linux only shop, customers tend to have windows systems.
0
 
Dave HoweCommented:
@noci: which is why I use xca - its written in java, so largely platform independent, runs happily on the admin's workstation (so no messing about with server apps over rdp) and does SAN certificates just fine :)
0
 
Sid_FAuthor Commented:
Ok until now I generate the CSR using server certificates section in IIS, this creates a CSR and leaves the certificate request pending until I process the pending request with the cert I get back from Comodo or what ever CA I choose.

But with XCA, this is a program I need to install that in some way integrates with IIS. Apologies but I am a little clueless as to how IIS integrates with this and how I generate the CSR and then process the pending request.
0
 
Dave HoweCommented:
XCA doesn't integrate into anything. It lets you manually create a CSR with any values you choose, submit it to the CA, import the cert back into XCA and re-export as a PFX file which can then be imported onto the target server(s).
0
 
Sid_FAuthor Commented:
Thanks. There are two things. One is the process to create the xca cert. I create a DB and assign a password to it. But then to create the CSR?
Also when I get back the cert what do I need to do to get IIS to be aware of the cert in order to bind it. Is this simply a folder it gets saved to and then becomes available
0
 
Dave HoweCommented:
ok. here is the procedure if you want to use xca.

1) on the "certificate signing requests" tab, hit "new request"

2) on the source page, select "https-server" template and "apply all"

3) on subject page, fill in the details you want as your "main" certificate details.

4) still on the subject page, hit "generate" next to the private key box at the bottom, pick a size (I recommend 2048) and give it a friendly name if you want to.

5) on "extensions" hit "[edit]" next to the "subject alternative name" box, and add multiple line items of type "dns" - one per name you want to buy for this cert (include the one you put in common name on the previous page too, many clients ignore CN entirely if SAN is available)

6) hit [OK] - you should now have a CSR. you can check this by double-clicking it before you go any further.

7) right click the CSR and select "export >> clipboard"

8) you can now paste that into the CA's purchase screen - make sure it is a SAN  you are buying though, or they may remove the SAN extension.

9) once you get your cert back (usually as a pkcs#7 with the CA certs too), import it into the "certificates" tab in the same DB. you should now have a tree display in that window with the CA at the top and your new cert at the bottom.

10) right click your cert (the one at the bottom of the tree!) and select "export >> file" - you want pkcs#12 with certificate chain.

11) fire up the IIS admin tool; you click on the server (NOT site) and select "server certificates" - import the pfx here

12) now, go to the site, and the bindings for that site. if you don't have a https binding (yet) add one, either way you can select the certificate you just imported.

<NOTES>

you can issue the CSR yourself with XCA if you want to test it before buying - to do that, create a self-signed CA type cert (on the certs tab) and use that to sign the CSR on the CSR tab. you will need the exported cert from the new CA for testing (if you install that to a client machine, it won't complain about the cert being unverified)
procedure is otherwise as outlined, with your own issuing step substituting for steps 7-9 (and also step 8.5 - cough up large amount of cash :)

another possibility - if you want only *one* external name, add a second https listener on port 444, and use your firewall to map 443 on the outside to 444 on the server. that lets you have an internal "AD" cert for 443 (your own users) and the much, much cheaper standard SSL cert on the 444 listener for external users. The remap step on the firewall (443-->444) makes the process transparent to external users, and you save $$$$
0
 
nociSoftware EngineerCommented:
I Agree with one extra note:
wrt. the port 444 trick, that may fail if f.e. OWA is used, that generates it links from the base with 444 explicitely hardcoded in it... It would only works if web applications use relative URL's instead of full URL....
OWA is definitely not the only one that cannot correctly handle a different port.
0
 
Dave HoweCommented:
@noci: best workaround there then is to add a second IP to the host, and have BOTH listeners on 443, just on different IPs :)
0
 
Sid_FAuthor Commented:
Thanks
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 7
  • 7
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now