Solved

SSL certicate issue, is it a domain name issue?

Posted on 2013-05-23
5
285 Views
Last Modified: 2013-07-11
I have a third party SSL cert that I'm using for one of my websites (https access). The website is behind my firewall.

External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.

The SSL cert contains the name: mysite.com (matching the public DNS record)

The internal name of site is mysite.home.com

Users are getting this error when they connect:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is this because the internal FQDN name does not match the external name that's on the SSL cert?
0
Comment
Question by:iamuser
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 39193471
the SSL endpoint must be mysite.com, then the user will not get an certificate error
mysite.com must be the web server where your certificate is stored
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39193606
That's a Certificate Chain error there, not a name missmatch.
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
0
 
LVL 40

Expert Comment

by:noci
ID: 39193679
for certificates you need to get everithing right.

Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
0
 

Author Comment

by:iamuser
ID: 39250113
So the problem is that internal users are not reaching the server that's holds the CA certificate?
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 39251464
No they are reaching the server but they cannot validate all ceritificate.

(click the icon left of the url for an explanation, and check the certificate chain )

Top most certificate must be trusted & valid
-- intermediate certificate - must be valid
  -- intermediate certificate  - must be valid
    -- server certificate must containt the hostname & be valid.

For your server certificate:

mysite.home.com        for internal users
mysite.com                   for external users...

So you need a certificate that contains BOTH names.
(Subject Alternate Name / SAN certificate)

And, no, you cannot have more than ONE certificate for each IP addres/Portnumer pair.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now