Windows – Have both Hostname and FQDN in SSL Certificate on IIS

certificatehttpsiissslwindows

I've been searching here, technet and google but haven't been able to find an answer to my question yet.

I have a website running on IIS 7, Server 2012 R2. The IIS serves as an access to our Citrix farm. Connecting using https, I have created an SSL certificate using our CA server (certificate is for Citrix.contoso.com (internal FQDN for server)).
But, users will try and connect using just https://Citrix which will generate a certificate error. So my question is:
Is it possible, for the certificate to work for both Citrix and Citrix.contoso.com?
If so, how do I manage to do this?

Best Answer

A fundamental underlying principal of certificates is trust. Trust requires identifying the parties involved (server and/or client), by specifying a fully-qualified name. A single-label name does not fulfill the identity requirement, and therefore cannot be trusted. Certificate Authorities should not issue and applications should not trust single-label names.

You should not use single-label names to connect to services that use certificates, you should use the fully-qualified name that matches the certificate instead.

Related Solutions

Iis – Generating self-signed, wildcard certificate for IIS 7.5 on .local domain

Your question actually did end up getting answered in that question here; You cannot create a Wildcard SSL certificate through IIS7+'s self-issued certificate system.

Ssl – How to create a self-signed SSL certificate with subject alternate names (SAN) for IIS websites

I found a way to do this using OpenSSL. I was hoping to use CertEnroll but since it gave me interoperability problems with Java I'm just going to use OpenSSL.

Here is how I created a cert for IIS with subject alternative names using OpenSSL.

First create a OpenSSL config text file:

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
[req_distinguished_name]
C           = US
ST          = VA
L           = SomeCity
O           = MyCompany
OU          = MyDivision
CN          = ANDY
[v3_req] 
keyUsage           = keyEncipherment, dataEncipherment
extendedKeyUsage   = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = andy
DNS.2 = 192.168.2.12
IP.1 = 192.168.2.12
IP.2 = 192.167.20.1

Then run the following OpenSSL commands:

openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\cert.pem -out C:\cert.pem -config C:\PathToConfigFileAbove.txt

openssl.exe pkcs12 -export -out C:\cert.pfx -in C:\cert.pem -name "My Cert" -passout pass:mypassword

This will create you a cert in a PFX file which can be imported to IIS. I automated this with powershell like so:

    # Get the certificate from the PFX file.
$pfxcert = new-object system.security.cryptography.x509certificates.x509certificate2
$pfxcert.Import(
    "C:\cert.pfx",
    "mypassword",
    [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor `
    [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
)

    # Add the certificate to the windows stores.
Get-Item -Path cert:\LocalMachine\My, cert:\LocalMachine\root | ForEach-Object {
    $store = $_
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
    $store.Add($pfxcert)
    $store.Close()
}

Add-PSSnapin -Name WebAdministration # IIS 7 Powershell module.
Push-Location -Path IIS:\SslBindings

    # Create new IIS SSL bindings.
Get-Item -Path "cert:\LocalMachine\My\$($pfxcert.Thumbprint)" | New-Item "0.0.0.0!443"

Best Answer

Related Solutions

Iis – Generating self-signed, wildcard certificate for IIS 7.5 on .local domain

Ssl – How to create a self-signed SSL certificate with subject alternate names (SAN) for IIS websites

Related Topic