Solved

SAN address on SSL certificate

Posted on 2014-12-04
10
296 Views
Last Modified: 2014-12-05
I would like to know how to confiure my network to get a SAN name to work on my network. I have an SSL for our Exchange server at address mail.mydomain.com and it has been working properly the whole time. I needed to get an additional SSL for a web application for mobile devices. I created a SAN on our current SSL and it is web.mydomain.com. I went to our domain registrar and created a DNS entry pointing to a public address which is NAT'ed to an address on our LAN. The ports for the Web address have been opened however the port is 3443 instead of 443. When I try to go to that address the address does not resolve to port 3443 and when I manually put the port in the certificate comes back stating "None of the common names in the certificate match the name that was entered (web.mydomain.com)" What am I missing? Do I need to make an entry on my DNS server for my domain? Do I need to make a modification on my registrar DNS?
0
Comment
Question by:tparus
  • 5
  • 4
10 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
Comment Utility
Can you confirm you have a Wildcard certificate? Only Wildcard certs can be used for multiple subdomains.
0
 

Author Comment

by:tparus
Comment Utility
I do not have a wildcard certificate and I don't know if I can have one. The reason I don't know if I can have one is that we have a business website that uses www.mydomain.com hosted by another company and if I make a *.mydomain.com wildcard certificate I don't want to cause confusion on the web with a certificate that covers both www and mail, web. Can I create a wildcard certificate and not cause confusion? The host company purchased an SSL for the WWW doamin and I have an SSL for mail and web.
0
 
LVL 5

Expert Comment

by:Sean Jackson
Comment Utility
Then that's your problem.  You'd need a cert for mail.yourdomain.com and for web.yourdomain.com.  A wildcard cert will work for *.yourdomain.com.  With SANs, those need to be identified when the certificate is issued.  If you wanted to add a new name to the cert, you would have to reissue it with the new name in it.
0
 

Author Comment

by:tparus
Comment Utility
If I make a Wildcard cert will it affect the cert that has www.mydomain.com? I cannot bring down our retail website so I want to make sure.
0
 

Author Comment

by:tparus
Comment Utility
I was just speaking with GoDaddy and a wildcard cert is way too much for just two addresses. How can I configure my domain to use the certificate I already have to secure both sites?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Accepted Solution

by:
Sean Jackson earned 300 total points
Comment Utility
I don't believe you can. You will need to purchase a second certificate.

Of course, if you're ok with dealing with all the 'insecure alerts' you could generate a self-signed certificate if a second certificate would prove too costly.
0
 

Author Comment

by:tparus
Comment Utility
What's the point of a SAN if you can't use it on a different server in the same domain? I am going to have to use a self signed SSL until I get this SAN issue figured out.
0
 
LVL 5

Expert Comment

by:Sean Jackson
Comment Utility
I've only seen SAN certs work for an ISP-type situation where they are wanting to offer discounted SSL. Terrible idea, but that's where they're most effective, or somewhere a blogger has three different domains or something.

What you're looking for (changing the subdomain) requires the wildcard cert, which is expensive (as you've seen). It's all about the FQDN.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
Comment Utility
A SAN is used when you have two or more names that can't be covered by a single wildcard (eg xxx.domain1.com and xxx.domain2.com) - if you have a more generic xxx.domain.com for all the hosts, then a wildcard is easier and will cover a wider range of hosts (SAN requires each host to be named in advance) - there is no issue with using a single wildcard for a number of https sites, AND vpn, AND smtp/imap/pop3/ldap/whatever - as long as it resolves correctly for every site you use it for.

A SAN must include the name of every unique domain name sharing the https server; this is rarely for anything BUT https servers, as a SAN allows more than one domain (with potentially more than one site) to share a single IP and port - so the SAN will need to be on port 443 and you will set each host as a virtual (name based) domain. if sites are on different IPs or different ports (or both) you won't need a SAN (as they can have unique certificates - SAN is *only* used when a single IP+port pair must be used for more than one site).

For this reason, the second site should *not* be on 3443, but should share 443 with the first site.

The newer replacement for this is called Server Name Indication - but not all browsers will support that, so you may find SAN avoids getting cert mismatch errors on older browsers.  Again, this allows you to have more than one site on a single IP and port 443, but has a separate cert for each site (with the browser specifying which cert it needs on connect)
0
 

Author Comment

by:tparus
Comment Utility
Darn! I have gone down the wrong path. Thanks Dave for clearing up what a SAN can do and Thank you Sean for trying to help me out with this situation. I gave point to both of you but Sean got more since he provided more help. Thanks for all your input.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Any business that wants to seriously grow needs to keep the needs and desires of an international audience of their websites in mind. Making a website friendly to international users isn’t prohibitively expensive and can provide an incredible return…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now