Ssl – IIS 7.5 SSL certificate for web site that can be accessed from different IPs

configurationiis-7.5sslssl-certificate

I have a website what is now at development state and can be accessed by IP in two ways: at internal company network site can be accessed by 198.162.0.10/WebSite and from Internet 212.19.10.50:1234/WebSite

When user goes to 212.19.10.50:1234 it's redirected by routing to 198.162.0.10 with 443 port for https.

How can I install server certificate in my case? I need to make it work without certificate issues both at internal and external network.

Is it possible to create 2 certificates for one site to make IIS select prober certificate in my case?

And what SAN inside certificates subject have to be for external network? External IP?

Best Answer

Although technically it's possible to set up IIS to support this, you won't be able to get SSL certificates for this kind of setup. I will explain later...

The important thing to remember with SSL is that it's the client's browser doing the validation of the certificate. So it's important what address the client's browser is using to connect to the server. This is the address (also called the common name or CN) for which the certificate should be valid.

If you have clients that connect to the same website with two different host names (or IP addresses in this case) you must either have two certificates for the two host names or a multi-domain certificate. The latter is the easiest to set up but is also more expensive. But adding two certificates to one website is also not that hard. You only have to make sure that you have two separate IP addresses bind to the same website. Each SSL binding requires it's own IP address. Because the server is on an internal network I guess it's not that hard to add an extra IP address (e.g. 198.162.0.10 and 198.162.0.11).

You install both certificates on the server in the regular way and then you go into bindings for the website. First you add the first IP address (e.g. 198.162.0.10) that is used for accessing the server from the public internet. You select HTTPS as the protocol and then select the certificate which has the public host name / IP address as the common name. It doesn't matter that the hostname / IP address for the certificate doesn't match with the internal IP address. Again, the server does nothing with it, it's the client's browser validating the certificate.

Then you add the second IP address (e.g. 198.162.0.11) which you use to access the server internally. Again you select HTTPS as protocol but this time you select the certificate which has the internal IP address (i.e. 198.162.0.11) as a common name. And then you should be done.

But... although there are a few certificate authorities that will provide certificates for IP addresses, these must be public IP addresses and you must be able to prove that you are the owner of these IP addresses (e.g. RIPE records). They will however not provide certificates for private IP ranges (like 192.168.x.x). And that's what you need for this setup, so you are out of luck.

Two solutions: either make sure your website is accessible by it's public IP address from the inside network as well and get one certificate for that public IP address. Or make it accessible by the same host name from both the public IP address and the internal network. This host name can be mapped to an internal IP address for the internal network, that's not a problem, as long as the host name (= common name) is the same. After all, that's all the browser checks.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Nginx – use the same SSL certificate for smtp, imap, pop3 and http

The short answer is that yes a single certificate can be used for all those services.

The key and certificate can be stored in many formates, and using the openssl tool you can convert your key and certificate to other formats.

The real barrier is can you get a certificate that is valid for all the names that you wish to use. For your web you might want to use www.example.com, and for your mail you might want to use mail.example.com. You can get a wildcard or SAN certificate that will cover lots of names, but these cost more. It may be cheaper to get a couple individual certificates. The prices for different certs are different, so take some time and work out which will be cheaper in your case.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Nginx – use the same SSL certificate for smtp, imap, pop3 and http

Related Topic