Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SSL Bridging and certificat on the ISA Server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> SSL Bridging and certificat on the ISA Server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
SSL Bridging and certificat on the ISA Server? - 24.Mar.2005 3:34:00 PM   
whorsfall

 

Posts: 33
Joined: 9.Feb.2001
From: Melbourne, Victoria, Australia
Status: offline 		Hi,

Assuming the following configuration - a Windows 2003 Web Sever - with a certificate installed - and a site with a few differnt web sites with SSL Certificates.

Questions:

1. If I am publishing multiple sites with host-headers - can each seperate site have a different certificate?

e.g. https://www.site1.com/
https://www.site2.com/

2. Can the ISA server have a seperate certificate for each one above or do I have to use the same certificate as used for each web site.

Please can I get clarifiction for how this is to be configured - sorry for the bad expression - difficult to explain.

Thanks,

Ward
Post #: 1
RE: SSL Bridging and certificat on the ISA Server? - 24.Mar.2005 4:19:00 PM   
RuiFiske

 

Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline 		Hi there.

It is pretty straightforward:

If you don't want any warnings presented to the user with a certificate, you must:

1. Buy them from a trusted root authority, like (but not only) Verisign.

2. Have ONLY ONE certificate per IP address. This is what people new to PKI and SSL have problems with. There is no way round this, it is an integral part of the SSL/TLS standard. No Host Headers are sent until the encrypted channel has been established. You cannot sort sites by host headers with SSL.

3. The FQDN (DNS Name) of the site must match the CommonName on the certificate. Therefore a certificate for www.one.com will raise a warning to a user viewing www.two.com. They can, of course, choose to ignore that warning. The standard does allow for wildcard certificates, but they must share a domain.

Thus, one.domain.com and two.domain.com could both use a certificate for *.domain.com.

However, this would not be useable by host.three.domain.com, as it sits at a different level in the DNS hierarchy.

Your best option, if you need to do this is to get lots of public IP addresses, and a certificate for each domain, individually located on each IP address.

There is no way to implement SSL "on the cheap". It is a trust mechanism, and so you need:

a. to have that trust in place already (with people whose computers you control); or
b. buy it in from somewhere else.

Hope this is helpful, please rate me if it is.

YoY

(in reply to whorsfall)
Post #: 2
RE: SSL Bridging and certificat on the ISA Server? - 25.Mar.2005 4:40:00 PM   
whorsfall

 

Posts: 33
Joined: 9.Feb.2001
From: Melbourne, Victoria, Australia
Status: offline 		Hi,

Thanks for the great answer [Smile] I am going to give you the top rating now...

Ok I am trying to undertand your answer:

Have ONLY ONE certificate per IP address. This is what people new to PKI and SSL have problems with. There is no way round this, it is an integral part of the SSL/TLS standard. No Host Headers are sent until the encrypted channel has been established. You cannot sort sites by host headers with SSL...

1. Please clarify :
Is this synario possible can I host multiple sites off the "same ip address" and use a seperate SSL certificate for each?

If I read correctly this will not work because it is the same ip address.

2. If I am using SSL Bridging - do I have to imporort the same certificate as is on the web site on the web server.. Or can i get a different certiticate for the same FQDN?

3. If I using Microsoft Widows 2003 Certificate services - as a root CA. (I am not sure if I am using the correct terminology here) will external browsers (on the internet) trust this or will it generate an error saying it is an untrusted source?

Thanks,

Ward

[ March 25, 2005, 04:43 PM: Message edited by: whorsfall ]

(in reply to whorsfall)
Post #: 3
RE: SSL Bridging and certificat on the ISA Server? - 30.Mar.2005 10:42:00 AM   
RuiFiske

 

Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline 		Hi Ward,

Sorry I haven't been back to you earlier on this.

In response to your questions:

1. You are correct. You can have only one certificate per IP address. If you want more certificates, then you need more IP addresses. What happens is this:

a. You type in FQDN, which is resolved to IP address by a DNS server.
b. The Browser contacts the server by IP address. The server responds with its certificate. This is the first (and therefore only) certificate for this IP address.
c. The browser matches the subject DNS name on the certificate with the URL/FQDN that was requested. If they are not the same, then it raises a warning.
d. If all is OK, then the browser will negotiate an encryption key with the server, and send the HTTP request - including the (Host) Headers - to the server. This is the first time that the server knows what site has been requested, which is why there is no way round it!

2. In a bridging scenario, you can use whatever certificate you like on the protected server - as long as:
a. There is a trust path on the ISA server, ie ISA must trust the certificate itself, or the issuing CA, or any higher CA (your Win 2k one, for example);
b. The Subject DNS Name matches that that the ISA server publishes to, otherwise you get the "Target Principal name is incorrect" error.

3. You will always get a warning from clients if you try and issue your own certificates, unless they also have a trust path for the certificate (as above).

This gives you two options:
a. If you "control" all the clients, then put your CA certificate in their trusted root store.
b. If not, then you can tell them that there going to get a warning, if you think they trust you enough (not recommended); or get a commercial certificate.

Good Luck !

YoY

[ March 31, 2005, 02:42 PM: Message edited by: WhyOhWhy ]

(in reply to whorsfall)
Post #: 4
RE: SSL Bridging and certificat on the ISA Server? - 1.Apr.2005 5:09:00 PM   
whorsfall

 

Posts: 33
Joined: 9.Feb.2001
From: Melbourne, Victoria, Australia
Status: offline 		Hi,

Thanks for the great reply.

You said:

"3. You will always get a warning from clients if you try and issue your own certificates, unless they also have a trust path for the certificate (as above)."

Can you clarify exactly what you mean by a trust path.

How can I avoid that error on external clients if I am running my own certificate services?

Also is it possible to do a technique where even though you issue your own certificates somehow your internal CA is trusted by say a public root CA?

Thanks,

Ward

(in reply to whorsfall)
Post #: 5
RE: SSL Bridging and certificat on the ISA Server? - 5.Apr.2005 10:25:00 AM   
RuiFiske

 

Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline 		Hi Ward,

I explain what a trust path is in 2a - a certificate in the chain must be trusted by the client.

You can get a root CA certificate from an external company, like Verisign, and use that to issue certificates.

It would be better if you explained what you are trying to achieve, then I may be able to give you better advice.

(in reply to whorsfall)
Post #: 6
RE: SSL Bridging and certificat on the ISA Server? - 6.Apr.2005 2:44:00 AM   
citrixman

 

Posts: 17
Joined: 3.Mar.2005
Status: offline 		geotrust are a HELL of a lot cheaper then verisign for the same thing imo [Smile]

(in reply to whorsfall)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> SSL Bridging and certificat on the ISA Server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts