Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 335
  • Last Modified:

SSL Certificate

Hello

I have Two Win 2003 servers behind firewall, One server has CherryPy Web Server for Mail , and other server is IIS 6 for Citrix 4.5, I have public IP and we are using different Ports on the firewall to see both websites from outside .
I want to get SSL certificate to protect both websites  :

1) Does one certificate work for both servers ?
2) Our domain  xyz.com hosted outside but a sub domain mail.xyz.com is pointing to our Public IP .
 When Creating certificate request , Can I get standard certificate and fill the sub domain in the request ? or should I fill the domain itself ?
3) does the certificate work if different ports used ?
4) Can SSL work with public IP instead of a domain ? example : https://2.2.2.2:8443



Thank you
0
m_jundi
Asked:
m_jundi
  • 3
  • 2
  • 2
  • +1
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
1. No, each server needs it's own certificate.
2. The certificate is tied to the domain name.  Certificates typically have mydomain.com and www.mydomain.com.
3. 'normal' ports for 'secure email' are 995 for POP and 465 for SMTP.
4. No, as mentioned above, certificates are issued for domains, not IP addresses.

Basic SSL/TLS certificates are issued for encrypting web site communication, not emails.  You need to make sure that whatever you get covers your needs.  It is not automatic.
0
 
m_jundiAuthor Commented:
1) Both Servers behind firewall abc.mydomain.com , Nat is used,certificate will be issued for the same domain ?

Sorry if I put Mail  , but wanted to point for a sub domain as an example : abc.mydomain.com
0
 
Dave BaldwinFixer of ProblemsCommented:
If it's not email, it's less of a problem because then it's just for encrypting web communication, a single purpose.  Like I said, certificates are issued for a domain.  You can include a sub-domain but if it's not 'www' there might be extra cost.  Typically certificates are issued for mydomain.com and www.mydomain.com but not another sub-domain.  You would have to ask for abc.mydomain.com and see what they say.  One catch to all of that is that a unique static IP address still must be used because of the way certificates are authenticated.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
m_jundiAuthor Commented:
What about Using NAT on different ports ? does it work with SSL
0
 
Dave BaldwinFixer of ProblemsCommented:
I don't know.
0
 
btanExec ConsultantCommented:
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't. See http://www.totallyssl.com/options

if you have SSL on www.xyz.com and abc.xyz.com, and single IP address, consider use of only one wildcard SSL cert such as *.xyz.com for the SSL cert common name.

if you have SSL on www.xyz.com and www.abc.com, and single IP address, consider use of Server Name Indication (SNI). It uses multiple SSL server cert on one IP and browser also need to support SNI. see more info in https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

if you have different IP addresses (but same port) and different SSL cert, NAT  should be possible.

if you have different IP addresses (but same port) and one SSL cert, NAT  should be possible. Consider having SSL cert to have SAN (subject alt name) putting *.abc.com as alt name while www.xyz.com is the subject (common name).

in any case, for NAT, with firewall fronting then it is a proxy to perform such translation and forward to the correct server. It acts as a SSL proxy meaning it front the browser with its SSL cert (browser trust the FW cert CA esp for self sign cert or enterprise CA issued SSL cert). At the same time, to allow its inspection, the FW (then act like browser) will re-encrypt with SSL and connect to the respective web server directly. Best to put that confirmation to the FW tech support as it may need additional configuration.
0
 
kevinhsiehCommented:
Btan gave good information. To simplify,

1. If both servers are mail.xyz.com, use the same certificate
2. The certificate is for mail.xyz.com only, not xyz.com
3. The certificate works with different ports just fine
4. You probably can't get a trusted SSL certificate for your public IP (as opposed to your FQDN mail.xyz.com). Seehttps://support.globalsign.com/customer/portal/articles/1216536

If you don't care about the SSL cert being trusted,  you can always self sign one.

As you probably know, Windows 2003 is nearing the end of extended support. When extended support ends, there will be no further security fixes for Windows 2003, which will make your server extremely vulnerable to attack, especially since its ts serving content to the Internet. To give you an idea of the risk, this recent security bulletin outlines a vulnerability that allows remote code execution that would allow a remote attacker to own your server simply by sending bad SSL packets. That is as bad as it gets as far as vulnerabilities go. This cannot be stopped by AV or firewall rules or NAT. The only options are to patch or possibly a full SSL proxy that can decrypt all traffic. After next summer you won't have the option to patch. Windows 2003 has had a nice long run, but it really is time to upgrade. The Internet is getting too dangerous to leave unpatched, unsupported systems connected.
0
 
btanExec ConsultantCommented:
with the recent slew of ssl related vulnerabilities such as BREACH, HEARTBLEED, POODLE (can easily google), do go for (if poss) TLS 1.2 and SHA2 SSL cert. You can also test out the ssl site with ssltest (https://www.ssllabs.com/ssltest/) which is commonly used and it also highlight if the website is vulnerable to above mentioned.
0
 
kevinhsiehCommented:
Windows 2003 only supports TLS 1.0. To get the higher versions of TLS you need to upgrade to a newer version of Windows.

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now