Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Internal Website - SSL Certificate and CNAME Record Issues (Problem with this website's security certificate)

Posted on 2016-10-26
Medium Priority
Last Modified: 2016-10-31

I have an application server running Windows Server 2012 R2 with IIS ver. 8.5 installed. I have an internal website (Intranet) running and it is accessible by "", it is using a self signed SSL certificate (Signed by itself a.k.a. "").

I have setup a CNAME record on our DNS server to point to the web server: "Cool Website Name" ---> ""

The issue is I get an error when connecting to the website via the CNAME alias (Error attached below) -- Https://<cool website name>
-It states that the security certificate presented by this website was issued for a different websites address

My question is how can I secure this website with https while still accessing it via a CNAME record? There are requirements for the website to be renamed so that users do not need to navigate to "". However, when they do this they have to click 'accept' or 'continue to this website' when the error pops up.

Clearly it's not hard to click accept to that error message but in terms of user security I don't want to teach the thought that when this error message appears its ok to click.... because that would be false if they are on the internet. Management wants that error away.

Is there any way to achieve this maybe using an Enterprise CA (Active Directory Certificate Services) or some other method? Can any IIS/Intranet experts advise how to achieve this?

Any help is appreciated. Thanks!

-Admin in need
Question by:leshad82
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 41860665
the certificate is probably issued to servername which does not equal servername.domain.ext

Setting up an internal CA can fix it as long as the subject name is correct, but you will have to distribute the root ca and any subordinate ca's certificate to the trusted root providers (usually done by group policy) to all computers or you will get the certificate was issued by a server that is not in your trusted root providers store.

Setting up a proper CA is not a click, click, next, finish operation.  read the technet documentation first or hire someone to setup your CA. Many people forget to create the capolicy.inf first
LVL 27

Expert Comment

ID: 41860698
Even if there's not a name mismatch on the cert (which there apparently is at the moment), your users' machines still aren't going to trust it, because it's self-signed. So they're going to get a cert warning anyway; it'll just say that the cert wasn't issued by a trusted authority. Have a user browse to now, rather than the other name, and this is likely what you'll see.

As David says above, yes, installing an internal CA can fix this, but it's not a trivial task. If you don't have many users, you can manually import the cert on their machines, and you'll be good to go. If there are a lot of users, though, you may be better off springing for a cert from a trusted public CA.

Author Comment

ID: 41860702

You are correct the self-signed certificate is issued to "" and I created a CNAME record so that https://SITEALIAS points to "".

This alias does indeed work however the mismatch cert error comes up no matter if you install the cert to the trusted root CA folder.

So what your saying is that I need to do the below steps?

•Install Active Directory Certificate Services (ADCS)
•Install the Root CA certificate to the trusted root CA folder via GPO for all client workstations
•Generate a certficate for "" from the internal CA and put the alias on the "Subject name" area?

Is that correct or will I need to generate a certificate for both the server and the alias?

E.g. -->  x1 Cert = ""   x1 Cert = "SITEALIAS"

P.s. IIS 8.5 has the proper HTTPS bindings setup so that https://SITEALIAS and both work currently just thought would be helpful to mention.
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 41860713
Dr Dave,

Thanks for the reply! I don't think your statement is entirely true however.... my server is currently using a 'self-signed' certificate registered to "". If I push this self signed cert out via a GPO to my clients and install it into the trusted root CA folder then accessing the website via will work WITHOUT errors.

I only see the error when I navigate to the site via the CNAME alias. So I guess the real question here is can I secure this CNAME alias with SSL somehow so that the intranet website is accesible without this certificate mismatch error?

I'm open to all options if they will fix the issue, e.g. Enterprise CA, Public CA (Komodo, Digicert, etc.). However, i'm uncertain if going to a public Root CA will be any benefit to a local only website.

Appreciate the help!
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41860814
if you use cname alias and have the certificate for it will fail with a missmatch because http://alias does not equal
you could create an A or a CNAME record

Author Comment

ID: 41860865
Hi David.

I see what you're saying that still works however you get that error still because the alias name does not match the server that the certificate is registered to.

I think my next step will be to setup ADCS on one of our servers and try to hand out certificates to the server that hosts the intranet through that.

Thanks for the sugesstions
LVL 27

Assisted Solution

DrDave242 earned 1000 total points
ID: 41860946
Thanks for the reply! I don't think your statement is entirely true however.... my server is currently using a 'self-signed' certificate registered to "". If I push this self signed cert out via a GPO to my clients and install it into the trusted root CA folder then accessing the website via will work WITHOUT errors.
Sorry, you're right; I hadn't thought about distributing a self-signed cert via GPO. If you want to issue a cert with an alternate name on it, which appears to be necessary, you will need to install AD CS and issue it from there. There's no supported way to issue a self-signed cert with an alternate name, and the only unsupported way I've found looks pretty ugly and unreliable.

Accepted Solution

leshad82 earned 0 total points
ID: 41861197

Thanks to the both of you for the suggestions and assistance! I ended up resolving this using powershell commands to create a self signed certificate with the DNS name I required.

•New-SelfSignedCertificate -DnsName <NAME> -CertStoreLocation cert:\LocalMachine\My

This created the self-signed certificate based on the CNAME record and appears in the 'Personal' cert store and within IIS 8.5 "Server Certificates". I then proceeded to create a binding using the new certificate.

The next steps were to export the certificate and private key and deploy this certificate to all domain workstations trusted root CA cert store via group policy object.

•mmc.exe --> Add/Remove snap-ins --> Add 'Certificates' --> Personal --> Right click <CERT NAME> --> Export --> Insert password, name the file and save it to a location to copy to domain controller.

•New GPO --> Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Public Key Policies --> Trusted Root Certification Authorities --> "Import"


Author Closing Comment

ID: 41866620
After some further research I found the solution to be unrelated to what the contributors were suggesting. Instead of using ADCS I ran a commandlet from the 'PKI' module to create my own self-signed certificates with customizable DnsNames. So instead of being forced to use the server FQDN I was able to create a certificate using the CNAME alias which will be the exact site name/URL

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question