Silly SSL cert question for Windows 2000/ASP/IIS - ssl

I've got an ssl certificate for what I think is my domain and I want to apply it to two separate applications in that domain that run under ASP classic in IIS on Windows 2000.
I have the following stupid questions:
Are certificates issued for URLs or domains? Or subdomains?
Can I use the same cert for multiple websites (applications) within that domain, or do I need a separate one?
Can I inspect the cert file to determine for what or to whom it's issued?
Thanks!

1) Web certs are issued to a domain. Specifically the CN attribute of the certificate must match the domain used to access your site.
2) Certs are usually install per host (or virtual host). If you had cert for the domain wwwapps.domain.tld you could have one app at /calendar, and one app at /contacts.
3) Yes, depending on the format and where it is, this can be easy or hard. If you have a crt file and you are running under windows, just click on it. You should see the details.
If you want to inspect a certificate that is installed on a site, you usually have to click on the padalock icon.
On windows you can also open up the MMC, add the certificate snapin and see any/all installed certificates on the local machine, or your profile.

They are issued for domains. Subdomains require their own certs. You can buy a special wildcard cert for your domain that lets you create certs for your subdomains, but they are more expensive.
If you buy a cert for mydomain.com, you can use it for anything that starts with https://mydomain.com/
Yes. You can do this for any certs. check out the lock icon in your browser's address bar.

It's usually issued to a single web server host (basically a computer cname or a record) like foo.bar.com where foo is one name for the host which the certificate request was generated for and bar.com is its domain.
Thus it will work for any application or virtual directory that responds to https://foo.bar.com - like https://foo.bar.com/planner/ - but nothing more.
For https://*.bar.com you can get a wildcard certificate that lets you handle any number of hosts without any hassel - at a greater cost.
There are also multiple-SAN (UCC) certificates that can contain a specific number of host names in a single certificate like webmail.bar.com and autodiscover.bar.com for an Exchange 2007 server serving both web access and Outlook Anywhere from the same physical machine and NIC.
If it's in .cer format simply opening it in Windows will show the details, if it's a pfx or in some other transport format you'd need to import it.
You basically install the certificate on a Web Site node in IIS and anything you can fit beneath that (or modify using a modern firewall in front of it to still respond to the issued common name foo.bar.com) will work.

Thanks! I enabled port 443 for the site at the domain on the cert, loaded the cert via directory security in IIS for each subfolder, and enabled 128-bit encryption. Worked like a champ!

Related

Can I get trusted CA certificate for a local virtual host e.g. https://myapp

we have an web application(WAMP stack) on a local Windows server. There are several dependencies and an Oracle db running on this server and the server is closed to outside internet traffic.
Clients access the app on LAN using the server's IP, but we plan to create a virtual hostname in active directory to enable access using a hostname on entire local network.
We would like to secure the traffic and switch to https, thus we need a SSL certificate, preferably from a trusted CA to avoid any confusing warnings to the users.
Is there a way to get a Trusted CA SSL certificate for a local host? I was thinking of getting a certificate for a public domain, say myapp.net, then map this domain to actual ip of the local server running the app and install the certificate in apache... would that work?
Thank you for any ideas.
Alexander
You have several options:
The public CAs that your browser trusts by default will only sign keys for DNS names. And you can totally have a DNS name that is not accessible from the public internet (e.g. one that resolves to a local IP). In case you're using CAs like LetsEncrypt (Domain Validated), you will need to make the server available publicly during the key exchange/certification time, but can change the IP immediately afterwards (*). Or simply use one of the other available validation techniques - typically they're paid.
As you're on the intranet, you might be in a situation where you can install your own internal trusted CA on your users' computers. In that case, you can mint such a certificate yourself. This is a scenario that's common in case there's a proxy running internally that's also inspecting https traffic.
And, of course, in case you can install trusted root CAs on computers, you can also install individual trusted keys/certificates for a single machine. But that seems not to be what you'd like to do.
So, for https://myapp you'll have to do some minting/installation yourself. For https://myapp.example.com, you have options with (already) trusted root CAs
(*) that is for the commonly used and documented mode-of-operation. See Patrick's comment below

Plesk: SSL Issue on shared IP Hosting with multiple Domains

this one is driving me mad - hopefully anyone of you can help.
I ordered a cloud server with intention of running multiple customer sites on one server/one ip. Everything is working fine so far, but Im having troubles with SSL.
I added 2 Domains (Domain a, Domain b) via Plesk Panel and installed basic ssl certificates which are working perfectly fine. Both Domains can be accessed via https:// and in the broswer both certificates are shown as valid / secure
Problem: Im getting SSL Issues / Warnings when connecting to the domains mailboxes -> to secure the Plesk Panel a self-signed Certificate was pre-installed.
When I exchange the Plesk self-signed certificate to a certificate for Domain a, Domain a mailboxes are working perfectly fine - but not for Domain b. (obviously). What certificate do I need to install to secure the Plesk Panel and which does not cause any problems with all underlying Domains & their mailboxes?
Will creating a certificate for the servers IP address will do the trick? Is this accepted, even possible or will it result in another warnings? If yes, do I need to create a certificate for xx.xxx.xxx.xxx or xx.xxx.xxx.xxx:8443?
Or is there any other option for running multiple domains on one shared ip?
Any help/guidance is very much appreciated!
Thanks!
Did you mean something like mail.domainb.com or autodiscover.domainb.com for mailbox? Then make sure you have valid SSL certificate for them also not only for mail domain. As far as I know you would not be able to get third-party certificate on IP addresses.
Sorry if I have guessed wrong.

SSL certificates with unknown domain name

We're having an issue with securing an intranet / internet website with SSL where
we can't know the qualified domain name in advance.
Basically, I'm trying to make a program that will be installed on a webserver
outside my direct control, to be accessable over intra- or internet. In either case
I want it to be secure via SSL (https). To do this, I would like to include and
install a SSL certificate on the target machine. My installer is fully prepackaged
and should not require any particular during- or postinstall intervention from my
end. Problem is, I can't know ahead of time the target machine's name or domain
name, so as far as I can tell the SSL connection will be returning warnings (or
worse?) when accessed, since the certificate I include will (must) have a different
name on it.
I really want to avoid those warnings, but I still want to keep it secure. Is there
any way to install a SSL connection without certificate warnings without the domain
name known ahead of time?
Thanks for any help you folks can give.
What you want to do is not possible. Here's why.
A certificate will include a set of names (Common Name, possibly along with Subject Alternative Names, possibly including wildcard names).
The client's web browser will do the following:
The user wanted to visit "https://myapp.mydomain.com/blog/posts/1".
The request is via SSL and the domain name in the request is "myapp.mydomain.com".
Get the certificate from the Web server.
Ensure that at least one of the names in the certificate is exactly equal to, or wildcard-matches, the domain name in the request.
Display the page.
Therefore, you need a certificate with the exact domain name (or a wildcard matching the exact domain name) by which the application will be used. And the certificate needs to be available at the same time as, or later than, the time when the exact domain name of the website becomes known, and cannot be made available any earlier.
You seem to be under the misapprehension that somehow a certificate can "create" or "install" an SSL connection. That is false. The Web server - Apache, IIS, Nginx, LigHTTPD, or whichever one you happen to use - is the program that knows how to every aspect of SSL connectivity. The certificate is just a file that the Web server sends to the client, without even opening or using in any way.
Additionally, the author of a webapp to be distributed is not responsible for creating or distributing certificates, and should not be under the misapprehension that he is responsible. Only the website maintainer should be responsible for obtaining a certificate for his website. As another person remarked, in your installation process or perhaps in a post-installation process, you may ask the person installing the webapp for a certificate. But that is the best you can do.
The best you can do is to buy a wildcard SSL certificate - but wait, it's not what you think. You still need to know the second-level domain (the TLD being ".com") ahead of time. You can effectively ask for a cert that covers *.foo.com - then any site, a.foo.com, b.foo.com will be covered. Of course, these certs are more expensive that FQDN certs because you are doing the buggers out of some extra coin.
-Oisin
Each of those sites should have their own SSL certificate. Why not prompt the user to provide the cert file during installation?
In most (if not all) cases, the SSL certificate is associated with the webserver (apache, IIS, etc.) and is not part of your application. It's up to the admin of the web server to install the certificate and not you as the author of the program.
If your installation program does have the ability to modify the web server configuration, and you are willing to have it use a self-signed certificate, you can script the creation of the certificate to allow the domain name to be input. However, I sense this is not really available to you. Also, a self-signed certificate will generally cause certificate warnings.
If I understand you correctly there might be a solution to your problem now. This solution won't help you, however, if you have no control over specifying what SSL certificates are served from the web server where your program is installed (as mentioned by someone else). If your program itself contains a web server you won't have this issue.
If you start with a trusted https website, you can make cross-domain TLS (SSL) XmlHttpRequests to the web servers that are running your application. This is made possible using the opensource Forge project. The project uses a TLS implementation written in JavaScript and a small Flash swf to handle the cross-domain requests. Your program will need to serve an XML Flash policy file that grants the trusted website access to the web server running the application.
Your program will also need to generate a self-signed SSL certificate and upload it to the trusted website. From there, each program's certificate can be included as trusted via the JavaScript TLS implementation. Alternatively, you can have your program upload its certificate to be signed by a CA you create, using a common or subject alternative name that is appropriate for your use (it doesn't have to be the domain name). Then you can use JavaScript to trust the CA certificate and look for the correct name on each certificate.
For more details check out the Forge project at github:
http://github.com/digitalbazaar/forge/blob/master/README
The links to the blog posts at the end provide more in-depth information about how it works.

SSL on a single server for multiple web sites

Here is my scenario:
default website on IIS 6.0 is already protected by an SSL cert with common names covering the following:
domainname.com
www.domainname.com
I have a new website on the same IIS server and need to protect it with an SSL cert with the following common name:
subdomainname.domainname.com (same domainname as default)
I do not have the freedom to add a new IP address to the server. Not an infrastructure friendly request for whatever reasons.
We also have our Exchange webmail protected by another cert on another server with:
webmail.domainname.com
I do not believe I can use a wildcard cert because exchange is on a different server, correct?
Whether I can or not use a wildcard server, how can I protect the new subdomain on the main IIS server with a new cert? Do I replace the cert on the default with the new common name representing the subdomain web site and the default web site common names. Can I assign the same cert on the same server with all common names needing protection to multiple websites on IIS 6.0?
Thanks for any help in getting this resolved.
You are correct, you would need multiple signed certificates for your servers. Godaddy offers certs for single-servers only, AFAICT. DigiCert offers multi-domain, multi-server certificates. I've never used them, so I can't vouch for anything they offer, but it shows that what you want IS available in the marketplace.
You can get a single cert and use it on multiple servers so long as the DNS entries map out to the correct servers.
Go Daddy offers several cert types and they don't make it clear how to deal with this issue.
Standard (Turbo) SSL 1 domain ~$30
Standard Multiple Domain (UCC) SSL Up to 5 Domains ~$90
Standard (Turbo) Wildcard SSL ~$200
Get the 5 domain cert with
domainname.com
www.domainname.com
subdomainname.domainname.com
webmail.domainname.com
all listed on the one cert. Complete the request on the server you started the request from then use the tools built into the windows servers to copy the cert from one server to another. Doing so doesn't remove it from the first server and adds it to the second.
I did this not too long ago. My Web server is 2008 and the mail server is 2003. In that combination I had to export as a .pfx file and then import the .pfx. If you do it from 2003 to 2003 you may be able to use the copy from another server option and save manually moving the exported file around.
In my case the cert mentions "Certificate Subject Alt Name" with
Not Critical
DNS Name: www.adomain.com
DNS Name: adomain.com
DNS Name: www.adomain.com
DNS Name: mail.adomain.com
Looks like one of those lines is a duplicate but hey it works. I don't know why the cert uses the terminology of "Not Critical" to head that section.
IIS won't let you put two sites on the same IP/port combo but it will let you put the same SSL on two different sites. The secondary site will have to use something other than 443 if you don't have the option of using a different IP address.

HTTPS Certificate for internal use

I'm setting up a webserver for a system that needs to be used only through HTTPS, on an internal network (no access from outside world)
Right now I got it setup with a self-signed certificate, and it works fine, except for a nasty warning that all browsers fire up, as the CA authority used to sign it is naturally not trusted.
Access is provided by a local DNS domain name resolved on local DNS server (example: https://myapp.local/), that maps that address to 192.168.x.y
Is there some provider that can issue me a proper certificate for use on an internal domain name (myapp.local)? Or is my only option to use a FQDN on a real domain, and later map it to a local IP address?
Note: I would like an option where it's not needed to mark the server public key as trusted on each browser, as I have not control over workstations.
You have two practical options:
Stand up your own CA. You can do it with OpenSSL and there's a lot of Google info out there.
Keep using your self-signed cert, but add the public key to your trusted certs in the browser. If you're in an Active Directory domain, this can be done automatically with group policy.
I did the following, which worked nicely for me:
I got a wildcard SSL cert for *.mydomain.com (Namecheap, for example, provide this cheaply)
I created a CNAME DNS record pointing "mybox.mydomain.com" at "mybox.local".
I hope that helps - unfortunately you'll have the expense of a wildcard cert for your domain name, but you may already have that.
You'd have to ask the typical cert people for that. For ease of use I'd get with the FQDN though, you might use a subdomain to your already registered one: https://mybox.example.com
Also you might want to look at wildcard certificates, providing a blanket cert for (e.g.) https://*.example.com/ - even usable for virtual hosting, should you need more than just this one cert.
Certifying sub- or sub-sub domains of FQDN should be standard business - maybe not for the point&click big guys that proud themselves to provide the certificates in just 2 minutes.
In short: To make the cert trusted by a workstation you'd have to either
change settings on the workstations (which you don't want) or
use an already trusted party to sign your key (which you're looking for a way around).
That's all your choices. Choose your poison.
I would have added this as a comment but it was a bit long..
This is not really an answer to your questions, but in practice I've found that it's not recommended to use a .local domain - even if it's on your "local" testing environment, with your own DNS Server.
I know that Active Directory uses the .local name by default when your install DNS, but even people at Microsoft say to avoid it.
If you have control over the DNS Server you can use a .com, .net, or .org domain - even if it's internal and private only. This way, you could actually buy the domain name that you are using internally and then buy a certificate for that domain name and apply it to your local domain.
I had a similar requirement, have our companys browsers trust our internal websites.
I didnt want our public DNS to issue public DNS for our internal sites, so the only way to make this work that I found was to use an internal CA.
Heres the writeup for this,
https://medium.com/#mike.reider/getting-firefox-chrome-to-trust-your-internal-websites-internal-certificate-authority-a53ba2d4c2af
i think the answer is NO.
out-of-the-box, browsers won't trust certificates unless it's ultimately been verified by someone pre-programmed into the browser, e.g. verisign, register.com.
you can only get a verified certificate for a globally unique domain.
so i'd suggest instead of myapp.local you use myapp.local.yourcompany.com, for which you should be able to get a certificate, provided you own yourcompany.com. it'll cost you thought, several hundred per year.
also be warned wildcard certificates might only go down to one level -- so you could use it for a.yourcompany.com and local.yourcompany.com but maybe not b.a.yourcompany.com or myapp.local.yourcompany.com, unless you pay more.
(does anyone know, does it depend on the type of wildcard certificate? are sub-sub-domains trusted by the major browsers?)
Development purpose only
This docker image solves the problem (thanks to local-ip.co): https://github.com/medic/nginx-local-ip.
It launches a reverse proxy in the port 443 with a public cert that works with any *.my.local-ip.co domain. Eg. your local IP is 192.168.10.10 → 192-168-10-10.my.local-ip.co already points to it (it's a public domain)! Assuming the app is running in your computer at the port 8080, you only need to execute this to proxy pass your app and expose it at the URL https://192-168-10-10.my.local-ip.co:
$ APP_URL=http://192.168.10.10:8080 docker-compose up
The domain is resolved with any public DNS you have configured in the devices where you want to access the app, but your traffic keeps local between your app and the client (through the proxy), so you can even use it to connect with devices within the same LAN network, without any of the traffic going out to internet, all the traffic is local.
The reason that is mostly useful for development is that anybody can launch an application with this same certificate, so is not really secure, but helpful when you need to expose your app with HTTPS while developing or testing (e.g. HTML5 apps in Android that are loaded with Webview).