Solved

SAN address on SSL certificate

Posted on 2014-12-04
10
307 Views
Last Modified: 2014-12-05
I would like to know how to confiure my network to get a SAN name to work on my network. I have an SSL for our Exchange server at address mail.mydomain.com and it has been working properly the whole time. I needed to get an additional SSL for a web application for mobile devices. I created a SAN on our current SSL and it is web.mydomain.com. I went to our domain registrar and created a DNS entry pointing to a public address which is NAT'ed to an address on our LAN. The ports for the Web address have been opened however the port is 3443 instead of 443. When I try to go to that address the address does not resolve to port 3443 and when I manually put the port in the certificate comes back stating "None of the common names in the certificate match the name that was entered (web.mydomain.com)" What am I missing? Do I need to make an entry on my DNS server for my domain? Do I need to make a modification on my registrar DNS?
0
Comment
Question by:tparus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40481075
Can you confirm you have a Wildcard certificate? Only Wildcard certs can be used for multiple subdomains.
0
 

Author Comment

by:tparus
ID: 40481209
I do not have a wildcard certificate and I don't know if I can have one. The reason I don't know if I can have one is that we have a business website that uses www.mydomain.com hosted by another company and if I make a *.mydomain.com wildcard certificate I don't want to cause confusion on the web with a certificate that covers both www and mail, web. Can I create a wildcard certificate and not cause confusion? The host company purchased an SSL for the WWW doamin and I have an SSL for mail and web.
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40481265
Then that's your problem.  You'd need a cert for mail.yourdomain.com and for web.yourdomain.com.  A wildcard cert will work for *.yourdomain.com.  With SANs, those need to be identified when the certificate is issued.  If you wanted to add a new name to the cert, you would have to reissue it with the new name in it.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:tparus
ID: 40481282
If I make a Wildcard cert will it affect the cert that has www.mydomain.com? I cannot bring down our retail website so I want to make sure.
0
 

Author Comment

by:tparus
ID: 40481343
I was just speaking with GoDaddy and a wildcard cert is way too much for just two addresses. How can I configure my domain to use the certificate I already have to secure both sites?
0
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 300 total points
ID: 40481503
I don't believe you can. You will need to purchase a second certificate.

Of course, if you're ok with dealing with all the 'insecure alerts' you could generate a self-signed certificate if a second certificate would prove too costly.
0
 

Author Comment

by:tparus
ID: 40481752
What's the point of a SAN if you can't use it on a different server in the same domain? I am going to have to use a self signed SSL until I get this SAN issue figured out.
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40481860
I've only seen SAN certs work for an ISP-type situation where they are wanting to offer discounted SSL. Terrible idea, but that's where they're most effective, or somewhere a blogger has three different domains or something.

What you're looking for (changing the subdomain) requires the wildcard cert, which is expensive (as you've seen). It's all about the FQDN.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 40481993
A SAN is used when you have two or more names that can't be covered by a single wildcard (eg xxx.domain1.com and xxx.domain2.com) - if you have a more generic xxx.domain.com for all the hosts, then a wildcard is easier and will cover a wider range of hosts (SAN requires each host to be named in advance) - there is no issue with using a single wildcard for a number of https sites, AND vpn, AND smtp/imap/pop3/ldap/whatever - as long as it resolves correctly for every site you use it for.

A SAN must include the name of every unique domain name sharing the https server; this is rarely for anything BUT https servers, as a SAN allows more than one domain (with potentially more than one site) to share a single IP and port - so the SAN will need to be on port 443 and you will set each host as a virtual (name based) domain. if sites are on different IPs or different ports (or both) you won't need a SAN (as they can have unique certificates - SAN is *only* used when a single IP+port pair must be used for more than one site).

For this reason, the second site should *not* be on 3443, but should share 443 with the first site.

The newer replacement for this is called Server Name Indication - but not all browsers will support that, so you may find SAN avoids getting cert mismatch errors on older browsers.  Again, this allows you to have more than one site on a single IP and port 443, but has a separate cert for each site (with the browser specifying which cert it needs on connect)
0
 

Author Comment

by:tparus
ID: 40483254
Darn! I have gone down the wrong path. Thanks Dave for clearing up what a SAN can do and Thank you Sean for trying to help me out with this situation. I gave point to both of you but Sean got more since he provided more help. Thanks for all your input.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question