Solved

SAN address on SSL certificate

Posted on 2014-12-04
10
318 Views
Last Modified: 2014-12-05
I would like to know how to confiure my network to get a SAN name to work on my network. I have an SSL for our Exchange server at address mail.mydomain.com and it has been working properly the whole time. I needed to get an additional SSL for a web application for mobile devices. I created a SAN on our current SSL and it is web.mydomain.com. I went to our domain registrar and created a DNS entry pointing to a public address which is NAT'ed to an address on our LAN. The ports for the Web address have been opened however the port is 3443 instead of 443. When I try to go to that address the address does not resolve to port 3443 and when I manually put the port in the certificate comes back stating "None of the common names in the certificate match the name that was entered (web.mydomain.com)" What am I missing? Do I need to make an entry on my DNS server for my domain? Do I need to make a modification on my registrar DNS?
0
Comment
Question by:tparus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40481075
Can you confirm you have a Wildcard certificate? Only Wildcard certs can be used for multiple subdomains.
0
 

Author Comment

by:tparus
ID: 40481209
I do not have a wildcard certificate and I don't know if I can have one. The reason I don't know if I can have one is that we have a business website that uses www.mydomain.com hosted by another company and if I make a *.mydomain.com wildcard certificate I don't want to cause confusion on the web with a certificate that covers both www and mail, web. Can I create a wildcard certificate and not cause confusion? The host company purchased an SSL for the WWW doamin and I have an SSL for mail and web.
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40481265
Then that's your problem.  You'd need a cert for mail.yourdomain.com and for web.yourdomain.com.  A wildcard cert will work for *.yourdomain.com.  With SANs, those need to be identified when the certificate is issued.  If you wanted to add a new name to the cert, you would have to reissue it with the new name in it.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:tparus
ID: 40481282
If I make a Wildcard cert will it affect the cert that has www.mydomain.com? I cannot bring down our retail website so I want to make sure.
0
 

Author Comment

by:tparus
ID: 40481343
I was just speaking with GoDaddy and a wildcard cert is way too much for just two addresses. How can I configure my domain to use the certificate I already have to secure both sites?
0
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 300 total points
ID: 40481503
I don't believe you can. You will need to purchase a second certificate.

Of course, if you're ok with dealing with all the 'insecure alerts' you could generate a self-signed certificate if a second certificate would prove too costly.
0
 

Author Comment

by:tparus
ID: 40481752
What's the point of a SAN if you can't use it on a different server in the same domain? I am going to have to use a self signed SSL until I get this SAN issue figured out.
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40481860
I've only seen SAN certs work for an ISP-type situation where they are wanting to offer discounted SSL. Terrible idea, but that's where they're most effective, or somewhere a blogger has three different domains or something.

What you're looking for (changing the subdomain) requires the wildcard cert, which is expensive (as you've seen). It's all about the FQDN.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 40481993
A SAN is used when you have two or more names that can't be covered by a single wildcard (eg xxx.domain1.com and xxx.domain2.com) - if you have a more generic xxx.domain.com for all the hosts, then a wildcard is easier and will cover a wider range of hosts (SAN requires each host to be named in advance) - there is no issue with using a single wildcard for a number of https sites, AND vpn, AND smtp/imap/pop3/ldap/whatever - as long as it resolves correctly for every site you use it for.

A SAN must include the name of every unique domain name sharing the https server; this is rarely for anything BUT https servers, as a SAN allows more than one domain (with potentially more than one site) to share a single IP and port - so the SAN will need to be on port 443 and you will set each host as a virtual (name based) domain. if sites are on different IPs or different ports (or both) you won't need a SAN (as they can have unique certificates - SAN is *only* used when a single IP+port pair must be used for more than one site).

For this reason, the second site should *not* be on 3443, but should share 443 with the first site.

The newer replacement for this is called Server Name Indication - but not all browsers will support that, so you may find SAN avoids getting cert mismatch errors on older browsers.  Again, this allows you to have more than one site on a single IP and port 443, but has a separate cert for each site (with the browser specifying which cert it needs on connect)
0
 

Author Comment

by:tparus
ID: 40483254
Darn! I have gone down the wrong path. Thanks Dave for clearing up what a SAN can do and Thank you Sean for trying to help me out with this situation. I gave point to both of you but Sean got more since he provided more help. Thanks for all your input.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question