Re: SSL Host Headers IIS 6.0

From: Jeniffer K (me_at_me.com)
Date: 11/17/05

• Next message: Miha Pihler [MVP]: "Re: Cannot view my website"
• Previous message: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
• In reply to: David Wang [Msft]: "Re: SSL Host Headers IIS 6.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 17 Nov 2005 09:37:04 -0500

Also can I use a wild card cert if the two domain names are completely
different, in other words can I use the same cert for abc.com abd xyz.com or
only for *abc.com

thanks again

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:e9zAKlz6FHA.2628@TK2MSFTNGP11.phx.gbl...
> You have two SSL sites with different certificates/identities. You will
> either need two IPs or two Ports. I suggest two different IPs in your case
> because if you change ports, you will likely need to change a lot of web
> pages or do a lot of coding.
>
> You will not be able to use one IP:Port for both SSL sites who have
> different certificates. Think about it this way -- suppose you have:
> - www.CompanyA.com host header resolves to IP1:www.CompanyA.com
> - www.CompanyA.com website has its own SSL Certificate
> - www.CompanyB.com host header resolves to IP1:www.CompanyB.com
> - www.CompanyB.com website has its own SSL Certificate
>
> Suppose someone makes the request https://www.CompanyA.com - which
> translates into a request to IP1 over port 443 with host header
> www.CompanyA.com. Now, how does IIS know whether to use www.CompanyA.com
> 's
> SSL Certificate or www.CompanyB.com 's SSL Certificate to do the SSL
> negotiation? The host header value is encrypted with SSL, so IIS has to
> first complete SSL handshake with *some* SSL Server Certificate to decrypt
> and get the host header... but which one? This is basically a by-design
> catch-22.
>
> Thus, the only way to have SSL work is:
> 1. Each website has distinct IP:Port and distinct SSL Certificate
> 2. Websites with identical IP:Port must have wildcard SSL Certificate that
> covers the identity of each website
>
> Since you have distinct SSL Certificate and no wildcard SSL Certificate
> covers the identity of both your websites, you must pursue option #1. And
> you are choosing distinct IP so you don't need to recode any web pages.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Jeniffer K" <me@me.com> wrote in message
> news:%23gIIn8t6FHA.1184@TK2MSFTNGP12.phx.gbl...
> Today is the first time I've tried configuring a few sites with a cert and
> discovered that its not all that simple, I was under the assumption that
> its
> much like standard http on port 80 where it allows you to share the same
> IP
> by specifying a host headers with https on port 443 however it is an
> entirely different story, the site will fail to bind if two sites share
> the
> same port, I've searched and found the use of wildcard certificates but
> it's
> somewhat problematic for me because I have physical separate certificates
> for each site each site is an entirely different company, so how do I go
> about doing this?? also say I change the ssl port number for each site I
> want to secure, will I have to hard code the new port on each page that's
> linking to a secure page?? - please advice
>
> Thanks
>
>
>

---

• Next message: Miha Pihler [MVP]: "Re: Cannot view my website"
• Previous message: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
• In reply to: David Wang [Msft]: "Re: SSL Host Headers IIS 6.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Microsoft Direct Push / Active Sync - cant get it working ... Great to hear that you got it all working on port 80! ... Sorry I'm not too familiar with the way SSL certificates are created and installed, so I can't be much help from here on out. ... I decided to see if I could get an SSL cert in place, ... (microsoft.public.pocketpc) Re: SSL Host Headers IIS 6.0 ... www.companyA.com to IP1 which is the default IP on this box and SSL on port ... Host Header and SSL to configured to All Unassigned because if I selected ... Each website has distinct IP:Port and distinct SSL Certificate ... > Today is the first time I've tried configuring a few sites with a cert and ... (microsoft.public.inetserver.iis.security) Re: Enable SSL, OWA not work ... You should see that the TCP port is 80, and the SSL port is 443. ... Can you try removing the cert and generating a new request? ... or from a CA on the Internet? ... (microsoft.public.exchange.admin) Re: Exchange 2003 ActiveSync, Sprint PPC-6700 and SSL: Giving me an ul ... I am having problems with the Sprint PPC-6700 utilizing Exchange ActiveSync over the Sprint Dialup connection on SBS 2003. ... Whereas previous versions were a bit liberal in what they accepted, the current version apparently wants an exact SSL. ... Based on some postings on a few other boards, I tried to copy the SSL certificate onto the PDA. ... When I sync with this cert, it tells me it needs a cert with the correct name... ... (microsoft.public.windows.server.sbs) Re: SSL in Active Directory ... Each cert needs to match the DNS name of the DC, not just the domain, so ... All DCs would then have to have an SSL. ... Adding SSL support won't change the behavior of any existing LDAP clients ... Port 389 stays like it is now as well as the GC port. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)