|
Home > Archive > IIS Server Security > September 2005 > Implementing 2 certificates with IIS 6.0
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Implementing 2 certificates with IIS 6.0
|
|
| Henrique Alves 2005-09-02, 5:57 pm |
| Hi,
I tried to install two web server certificates in the same machine (but
in diferente sites), with IIS 6.0, but with no success.
What happened was that when I first install the first certificate
everything works fine, but after installing the seconded one (in another
site) the first certificate never work again. I tried making backup e
installing again, tried to remove and install the certificate again.and
nothing works. can anyone help me????
I already install IIS Diag and everything looks ok...
Thanks in advanced,
Henrique Alves.
| |
| Miha Pihler [MVP] 2005-09-02, 5:57 pm |
| Hi,
How does this error represent itself? What happens when you try and use the
first certificate?
Are you running these different sites on different IP addresses? Are there
any errors in Event logs (Applications and System logs)?
--
Mike
Microsoft MVP - Windows Security
"Henrique Alves" <henrique@isegi.unl.pt> wrote in message
news:eycjjd8rFHA.2592@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I tried to install two web server certificates in the same machine (but
> in diferente sites), with IIS 6.0, but with no success.
>
> What happened was that when I first install the first certificate
> everything works fine, but after installing the seconded one (in another
> site) the first certificate never work again. I tried making backup e
> installing again, tried to remove and install the certificate again.and
> nothing works. can anyone help me????
>
>
> I already install IIS Diag and everything looks ok...
>
>
>
> Thanks in advanced,
>
> Henrique Alves.
>
| |
| Henrique Alves 2005-09-02, 5:57 pm |
| Hi,
Like this - When I tried to browse the first site that I "install" the
certificate, I get the certificate from the second site. Understand?
I think you gave me a great tip, I change the IP Address from
the site and now I just get the first certificateK, strange. but it since
that should be something to do with this.
I'm running the sites with the same IP address (just with
different host headers), is there a problem?? Should I run with different IP's??
The Event log don't show any error related.
Can you help me with this now??
Many thanks Mike,
Henrique Alves.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:OEWba69rFHA.1256@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> How does this error represent itself? What happens when you try and use
> the first certificate?
>
> Are you running these different sites on different IP addresses? Are there
> any errors in Event logs (Applications and System logs)?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Henrique Alves" <henrique@isegi.unl.pt> wrote in message
> news:eycjjd8rFHA.2592@TK2MSFTNGP09.phx.gbl...
>
>
| |
| Miha Pihler [MVP] 2005-09-02, 5:57 pm |
| You should either use different IP address or different TCP port when you
use SSL. You can't use host header when you use SSL.
--
Mike
Microsoft MVP - Windows Security
"Henrique Alves" <henrique@isegi.unl.pt> wrote in message
news:eKHB1R%23rFHA.3392@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> Like this - When I tried to browse the first site that I "install" the
> certificate, I get the certificate from the second site. Understand?
>
> I think you gave me a great tip, I change the IP Address from
> the site and now I just get the first certificateK, strange. but it since
> that should be something to do with this.
>
> I'm running the sites with the same IP address (just with
> different host headers), is there a problem?? Should I run with different
> IP's??
>
> The Event log don't show any error related.
>
> Can you help me with this now??
>
>
>
> Many thanks Mike,
>
> Henrique Alves.
>
>
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:OEWba69rFHA.1256@TK2MSFTNGP09.phx.gbl...
>
>
| |
| David Wang [Msft] 2005-09-03, 2:49 am |
| Actually, with Windows Server 2003 SP1, IIS6 supports Host Headers with SSL.
http://www.microsoft.com/technet/pr...941b07554c.mspx
The key fact that remains is that SSL requires exactly one Server
Certificate per IP:Port combination.
This means that to implement two SSL websites using different certificates,
you must have two different IP:Port combination.
Even with Host Header over SSL, the requirements are that all the host
header websites MUST use the same SSL server certificate -- which means that
you must configure a wildcard SSL certificate for all of those websites.
Clearly, this limits Host Header over SSL to only support sub-domains --
that is:
https://subdomain1.domain.com and https://subdomain2.domain.com can both
share the common *.domain.com SSL server certificate configured for those
two domains.
In particular, since you cannot get a *.com certificate, you cannot use Host
Header over SSL for https://domain1.com and https://domain2.com
In other words, IIS6 on Windows Server 2003 SP1 does not impose any
restrictions on SSL that are not already there in the protocol or by how the
world treats SSL Server Certificates.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ucTc3g%23rFHA.3640@tk2msftngp13.phx.gbl...
You should either use different IP address or different TCP port when you
use SSL. You can't use host header when you use SSL.
--
Mike
Microsoft MVP - Windows Security
"Henrique Alves" <henrique@isegi.unl.pt> wrote in message
news:eKHB1R%23rFHA.3392@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> Like this - When I tried to browse the first site that I "install" the
> certificate, I get the certificate from the second site. Understand?
>
> I think you gave me a great tip, I change the IP Address from
> the site and now I just get the first certificateK, strange. but it since
> that should be something to do with this.
>
> I'm running the sites with the same IP address (just with
> different host headers), is there a problem?? Should I run with different
> IP's??
>
> The Event log don't show any error related.
>
> Can you help me with this now??
>
>
>
> Many thanks Mike,
>
> Henrique Alves.
>
>
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:OEWba69rFHA.1256@TK2MSFTNGP09.phx.gbl...
>
>
| |
| Miha Pihler [MVP] 2005-09-04, 5:51 pm |
| Thanks for the info David!
--
Mike
Microsoft MVP - Windows Security
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23q21UxDsFHA.908@tk2msftngp13.phx.gbl...
> Actually, with Windows Server 2003 SP1, IIS6 supports Host Headers with
> SSL.
> http://www.microsoft.com/technet/pr...941b07554c.mspx
>
> The key fact that remains is that SSL requires exactly one Server
> Certificate per IP:Port combination.
>
> This means that to implement two SSL websites using different
> certificates,
> you must have two different IP:Port combination.
>
> Even with Host Header over SSL, the requirements are that all the host
> header websites MUST use the same SSL server certificate -- which means
> that
> you must configure a wildcard SSL certificate for all of those websites.
>
> Clearly, this limits Host Header over SSL to only support sub-domains --
> that is:
> https://subdomain1.domain.com and https://subdomain2.domain.com can both
> share the common *.domain.com SSL server certificate configured for those
> two domains.
>
> In particular, since you cannot get a *.com certificate, you cannot use
> Host
> Header over SSL for https://domain1.com and https://domain2.com
>
> In other words, IIS6 on Windows Server 2003 SP1 does not impose any
> restrictions on SSL that are not already there in the protocol or by how
> the
> world treats SSL Server Certificates.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:ucTc3g%23rFHA.3640@tk2msftngp13.phx.gbl...
> You should either use different IP address or different TCP port when you
> use SSL. You can't use host header when you use SSL.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "Henrique Alves" <henrique@isegi.unl.pt> wrote in message
> news:eKHB1R%23rFHA.3392@TK2MSFTNGP11.phx.gbl...
>
>
>
|
|
|
|
|