IIS Server Security - SSL certificate problem

Author

SSL certificate problem

Arttu Arstila

2007-07-10, 7:20 am

Hello,

We have a Win2003R2sp2 server with one MOSS web application and a shared
services site. This have their own subdomains (site1.domain.com &
site2.domain.com) which point to separate ip addresses (let's just say IP1 &
IP2).

Both sites use SSL, and we have installed certificates for both IIS sites.
Certificates are from a trusted CA, one for site1.domain.com and other for
site2.domain.com. There should be no need for wildcard certificates, as both
sites have unique ip addresses. So the first site responds to IP1:443 and
second site to IP2:443 (the same can be seen in SecureBindings value with
SSLDiag).

Now, the browsing the sites works fine. But the site2 the browser gets the
certificate for site1.domain.com and correctly complains about a certificate
error.

Why does site2 offer the certificate of site1, although the IIS shows that
the right certicicate is installed? Should I modify SSL headers with the
command line, even though I have two ip addresses?

Robert

2007-07-11, 1:21 pm

On Jul 10, 4:28 am, Arttu Arstila
<ArttuArst...@discussions.microsoft.com> wrote:
> Hello,
>
> We have a Win2003R2sp2 server with one MOSS web application and a shared
> services site. This have their own subdomains (site1.domain.com &
> site2.domain.com) which point to separate ip addresses (let's just say IP1 &
> IP2).
>
> Both sites useSSL, and we have installed certificates for both IIS sites.
> Certificates are from a trusted CA, one for site1.domain.com and other for
> site2.domain.com. There should be no need for wildcard certificates, as both
> sites have unique ip addresses. So the first site responds to IP1:443 and
> second site to IP2:443 (the same can be seen in SecureBindings value with
> SSLDiag).
>
> Now, the browsing the sites works fine. But the site2 the browser gets the
> certificate for site1.domain.com and correctly complains about a certificate
> error.
>
> Why does site2 offer the certificate of site1, although the IIS shows that
> the right certicicate is installed? Should I modifySSLheaders with the
> command line, even though I have two ip addresses?

That's strange. If you're sure they are on different IP addresses and
the correct certificates are assigned in IIS then you shouldn't have
that problem. You could try switching the certificates on to the
opposite web sites to see what that does. Have you restarted the
server since installing the certificates?

--
Robert
SSL Shopper - SSL certificate comparison
http://www.sslshopper.com

Arttu Arstila

2007-07-12, 7:18 am

"Robert" wrote:

> On Jul 10, 4:28 am, Arttu Arstila
> <ArttuArst...@discussions.microsoft.com> wrote:
>
>
> That's strange. If you're sure they are on different IP addresses and
> the correct certificates are assigned in IIS then you shouldn't have
> that problem. You could try switching the certificates on to the
> opposite web sites to see what that does. Have you restarted the
> server since installing the certificates?
>

Hello, and thanks for the reply! According to SSLDiag, site1 is has
securebindings to ip1:443 and a valid certificate for site1, and the settings
for site2 are also correct. And the server has been restarted several times.
Unfortunately I cannot try switching the certificates, because the
development on the server is so intensive.

Arttu Arstila

2007-07-12, 7:18 am

"Robert" wrote:

> On Jul 10, 4:28 am, Arttu Arstila
> <ArttuArst...@discussions.microsoft.com> wrote:
>
>
> That's strange. If you're sure they are on different IP addresses and
> the correct certificates are assigned in IIS then you shouldn't have
> that problem. You could try switching the certificates on to the
> opposite web sites to see what that does. Have you restarted the
> server since installing the certificates?
>

Hi,

after several reboots, the problem seems to be disappeared. That is strange,
as the first reboot had no effect. In any case, thanks for the help.