SSO and SSL Certificates - ssl

I was ask to use a different SSL certificate for my SSO web service and a different SSL certificate for my website.
Why would I need a different SSL certificate when both the website and webservice are under the same IIS?

Usually certificates are issued to a particular domain. If your website and webservice are on different sub domains then you would use a different certificate for each.
Alternatively you can obtain wildcarded certificates (ie. *.yourdomain.com) but these tend to be much more expensive.

Related

How many SSL certificates needed for load balanced web servers

I have 3 servers. 1 is IIS-ARR load balancer. 2 servers are IIS web servers with my website hosted. I want to run the website on https. So how many SSL certificates are needed, which servers I have to create SSL CSR request and Which servers I have to install them.
I found a solution for this from another query. I need to use a certificate with Subject Alternate Names which is authorized for multiple domains.
Such a certificate could, once installed where the CSR was created in order to pair it with the private key, be exported as a bundle including the private key then imported on all involved servers.
So, just 1 certificate will solve the purpose.

How to sign an application and a site with SSL

I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.

Understanding ssl certificates

I am having a bit of trouble understanding how many ssl certificates I should get under specific conditions:
I have two pages the user is supposed to use (index and main) and all other scripts users don't access in the front end (e.g. uploadFile.php).
I have socket.io implemented in port x which I want to run over https protocol.
How many ssl certificates should I get under these conditions to assure secure data traffic? (is the data from all other php scripts still secure if index and main have ssl?)
SSL cert is issued for a specific DNS name. So if you run your PHP and Socket.io applications on the same domain, one cert is surely enough to secure both.
If you run your app on two different domains, you need to (a) use two separate regular certificates, or (b) have one SAN certificate (it secures multiple DNS names).
Also there is a wildcard certificate, it secures all direct subdomains of specified domain (*.some-site.com). It can be combined with SAN feature, so it can secure base domain some-site.com and direct subdomains as well.
IF your website is accessed via different website on https , then your website and the website through which its accessed needs to have their separate SSL certificate.
If your website does not have an ssl certificate , the connection will be dropped when your website link is accessed via other website.

SSL Certificates for just API or do clients need them to?

I have a RESTFul API that I want to secure using SSL Certs. If I were to get some SSL certificates, would I need separate ones for each of my web clients that use my API or would the API be the only thing that needs the certificate?
The SSL certificate is installed on your web server hosting your REST API. The clients don't need to have a certificate to securely exchange data with your server.
Think about all the e-banking/e-shopping sites that you probably use. You don't specifically install any certificates on your computer to be able to use them. As long as you trust the certification authority that issued the certificates to those websites (handled by your computer transparently), your computer can connect to them over SSL.
So, as long as your own server's SSL certificate is valid and issued by a trusted certification authority, your clients will be able to connect securely over SSL without needing separate certificates.
SSL Certificates are for Web Server. You install them in your Web Server. Certificates are matched to your domain. They have nothing to do with the clients. Any client can access your server if you have a valid certificate.
I think you have multiple Resful API's.
Now you need not have separate Certificates for API's since Certificates are matched to your server's domain and not to the API's you host. You can have any number of API's and Clients connected to your server using a SSL Certifcate.

Client certificate selection

I have a https apache server that needs client verification. But when somebody is browsing this site there is need to select proper cert from list of certificates installed in browsers. What can I do to become client cert default to my webpage (so clients do no need to select cert)
Is your certificate valid and signed by a 3rd party root authority like Thawte, Verisign... etc?
You can't control from the server which client certificate is presented - you can only indicate that you expect a clientside certificate (SSLVerifyClient). Most browsers allow the user to associate websites with individual client certs. There is no way to manipulate this from the serverside.