Solved

SSL Certificate

Posted on 2014-11-22
10
327 Views
Last Modified: 2015-01-02
Hello

I have Two Win 2003 servers behind firewall, One server has CherryPy Web Server for Mail , and other server is IIS 6 for Citrix 4.5, I have public IP and we are using different Ports on the firewall to see both websites from outside .
I want to get SSL certificate to protect both websites  :

1) Does one certificate work for both servers ?
2) Our domain  xyz.com hosted outside but a sub domain mail.xyz.com is pointing to our Public IP .
 When Creating certificate request , Can I get standard certificate and fill the sub domain in the request ? or should I fill the domain itself ?
3) does the certificate work if different ports used ?
4) Can SSL work with public IP instead of a domain ? example : https://2.2.2.2:8443



Thank you
0
Comment
Question by:m_jundi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
10 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40460362
1. No, each server needs it's own certificate.
2. The certificate is tied to the domain name.  Certificates typically have mydomain.com and www.mydomain.com.
3. 'normal' ports for 'secure email' are 995 for POP and 465 for SMTP.
4. No, as mentioned above, certificates are issued for domains, not IP addresses.

Basic SSL/TLS certificates are issued for encrypting web site communication, not emails.  You need to make sure that whatever you get covers your needs.  It is not automatic.
0
 

Author Comment

by:m_jundi
ID: 40460363
1) Both Servers behind firewall abc.mydomain.com , Nat is used,certificate will be issued for the same domain ?

Sorry if I put Mail  , but wanted to point for a sub domain as an example : abc.mydomain.com
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40460371
If it's not email, it's less of a problem because then it's just for encrypting web communication, a single purpose.  Like I said, certificates are issued for a domain.  You can include a sub-domain but if it's not 'www' there might be extra cost.  Typically certificates are issued for mydomain.com and www.mydomain.com but not another sub-domain.  You would have to ask for abc.mydomain.com and see what they say.  One catch to all of that is that a unique static IP address still must be used because of the way certificates are authenticated.
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Comment

by:m_jundi
ID: 40473681
What about Using NAT on different ports ? does it work with SSL
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40474112
I don't know.
0
 
LVL 64

Accepted Solution

by:
btan earned 350 total points
ID: 40485390
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't. See http://www.totallyssl.com/options

if you have SSL on www.xyz.com and abc.xyz.com, and single IP address, consider use of only one wildcard SSL cert such as *.xyz.com for the SSL cert common name.

if you have SSL on www.xyz.com and www.abc.com, and single IP address, consider use of Server Name Indication (SNI). It uses multiple SSL server cert on one IP and browser also need to support SNI. see more info in https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

if you have different IP addresses (but same port) and different SSL cert, NAT  should be possible.

if you have different IP addresses (but same port) and one SSL cert, NAT  should be possible. Consider having SSL cert to have SAN (subject alt name) putting *.abc.com as alt name while www.xyz.com is the subject (common name).

in any case, for NAT, with firewall fronting then it is a proxy to perform such translation and forward to the correct server. It acts as a SSL proxy meaning it front the browser with its SSL cert (browser trust the FW cert CA esp for self sign cert or enterprise CA issued SSL cert). At the same time, to allow its inspection, the FW (then act like browser) will re-encrypt with SSL and connect to the respective web server directly. Best to put that confirmation to the FW tech support as it may need additional configuration.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 150 total points
ID: 40485585
Btan gave good information. To simplify,

1. If both servers are mail.xyz.com, use the same certificate
2. The certificate is for mail.xyz.com only, not xyz.com
3. The certificate works with different ports just fine
4. You probably can't get a trusted SSL certificate for your public IP (as opposed to your FQDN mail.xyz.com). Seehttps://support.globalsign.com/customer/portal/articles/1216536

If you don't care about the SSL cert being trusted,  you can always self sign one.

As you probably know, Windows 2003 is nearing the end of extended support. When extended support ends, there will be no further security fixes for Windows 2003, which will make your server extremely vulnerable to attack, especially since its ts serving content to the Internet. To give you an idea of the risk, this recent security bulletin outlines a vulnerability that allows remote code execution that would allow a remote attacker to own your server simply by sending bad SSL packets. That is as bad as it gets as far as vulnerabilities go. This cannot be stopped by AV or firewall rules or NAT. The only options are to patch or possibly a full SSL proxy that can decrypt all traffic. After next summer you won't have the option to patch. Windows 2003 has had a nice long run, but it really is time to upgrade. The Internet is getting too dangerous to leave unpatched, unsupported systems connected.
0
 
LVL 64

Expert Comment

by:btan
ID: 40485951
with the recent slew of ssl related vulnerabilities such as BREACH, HEARTBLEED, POODLE (can easily google), do go for (if poss) TLS 1.2 and SHA2 SSL cert. You can also test out the ssl site with ssltest (https://www.ssllabs.com/ssltest/) which is commonly used and it also highlight if the website is vulnerable to above mentioned.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40486014
Windows 2003 only supports TLS 1.0. To get the higher versions of TLS you need to upgrade to a newer version of Windows.

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question