Solved

SSL Certificate

Posted on 2014-11-22
10
316 Views
Last Modified: 2015-01-02
Hello

I have Two Win 2003 servers behind firewall, One server has CherryPy Web Server for Mail , and other server is IIS 6 for Citrix 4.5, I have public IP and we are using different Ports on the firewall to see both websites from outside .
I want to get SSL certificate to protect both websites  :

1) Does one certificate work for both servers ?
2) Our domain  xyz.com hosted outside but a sub domain mail.xyz.com is pointing to our Public IP .
 When Creating certificate request , Can I get standard certificate and fill the sub domain in the request ? or should I fill the domain itself ?
3) does the certificate work if different ports used ?
4) Can SSL work with public IP instead of a domain ? example : https://2.2.2.2:8443



Thank you
0
Comment
Question by:m_jundi
  • 3
  • 2
  • 2
  • +1
10 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
1. No, each server needs it's own certificate.
2. The certificate is tied to the domain name.  Certificates typically have mydomain.com and www.mydomain.com.
3. 'normal' ports for 'secure email' are 995 for POP and 465 for SMTP.
4. No, as mentioned above, certificates are issued for domains, not IP addresses.

Basic SSL/TLS certificates are issued for encrypting web site communication, not emails.  You need to make sure that whatever you get covers your needs.  It is not automatic.
0
 

Author Comment

by:m_jundi
Comment Utility
1) Both Servers behind firewall abc.mydomain.com , Nat is used,certificate will be issued for the same domain ?

Sorry if I put Mail  , but wanted to point for a sub domain as an example : abc.mydomain.com
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
If it's not email, it's less of a problem because then it's just for encrypting web communication, a single purpose.  Like I said, certificates are issued for a domain.  You can include a sub-domain but if it's not 'www' there might be extra cost.  Typically certificates are issued for mydomain.com and www.mydomain.com but not another sub-domain.  You would have to ask for abc.mydomain.com and see what they say.  One catch to all of that is that a unique static IP address still must be used because of the way certificates are authenticated.
0
 

Author Comment

by:m_jundi
Comment Utility
What about Using NAT on different ports ? does it work with SSL
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I don't know.
0
 
LVL 61

Accepted Solution

by:
btan earned 350 total points
Comment Utility
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't. See http://www.totallyssl.com/options

if you have SSL on www.xyz.com and abc.xyz.com, and single IP address, consider use of only one wildcard SSL cert such as *.xyz.com for the SSL cert common name.

if you have SSL on www.xyz.com and www.abc.com, and single IP address, consider use of Server Name Indication (SNI). It uses multiple SSL server cert on one IP and browser also need to support SNI. see more info in https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

if you have different IP addresses (but same port) and different SSL cert, NAT  should be possible.

if you have different IP addresses (but same port) and one SSL cert, NAT  should be possible. Consider having SSL cert to have SAN (subject alt name) putting *.abc.com as alt name while www.xyz.com is the subject (common name).

in any case, for NAT, with firewall fronting then it is a proxy to perform such translation and forward to the correct server. It acts as a SSL proxy meaning it front the browser with its SSL cert (browser trust the FW cert CA esp for self sign cert or enterprise CA issued SSL cert). At the same time, to allow its inspection, the FW (then act like browser) will re-encrypt with SSL and connect to the respective web server directly. Best to put that confirmation to the FW tech support as it may need additional configuration.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 150 total points
Comment Utility
Btan gave good information. To simplify,

1. If both servers are mail.xyz.com, use the same certificate
2. The certificate is for mail.xyz.com only, not xyz.com
3. The certificate works with different ports just fine
4. You probably can't get a trusted SSL certificate for your public IP (as opposed to your FQDN mail.xyz.com). Seehttps://support.globalsign.com/customer/portal/articles/1216536

If you don't care about the SSL cert being trusted,  you can always self sign one.

As you probably know, Windows 2003 is nearing the end of extended support. When extended support ends, there will be no further security fixes for Windows 2003, which will make your server extremely vulnerable to attack, especially since its ts serving content to the Internet. To give you an idea of the risk, this recent security bulletin outlines a vulnerability that allows remote code execution that would allow a remote attacker to own your server simply by sending bad SSL packets. That is as bad as it gets as far as vulnerabilities go. This cannot be stopped by AV or firewall rules or NAT. The only options are to patch or possibly a full SSL proxy that can decrypt all traffic. After next summer you won't have the option to patch. Windows 2003 has had a nice long run, but it really is time to upgrade. The Internet is getting too dangerous to leave unpatched, unsupported systems connected.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
with the recent slew of ssl related vulnerabilities such as BREACH, HEARTBLEED, POODLE (can easily google), do go for (if poss) TLS 1.2 and SHA2 SSL cert. You can also test out the ssl site with ssltest (https://www.ssllabs.com/ssltest/) which is commonly used and it also highlight if the website is vulnerable to above mentioned.
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Windows 2003 only supports TLS 1.0. To get the higher versions of TLS you need to upgrade to a newer version of Windows.

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now