Welcome to ISAserver.org

Using commercial Wildcard certificate for published multiple sites

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Using commercial Wildcard certificate for published multiple sites

Page: [1]

Message

<< Older Topic Newer Topic >>

Using commercial Wildcard certificate for published mul... - 13.Dec.2006 7:21:07 PM

BrowSW

Posts: 7
Joined: 1.May2003
Status: offline

Hi,
I would like to get a commercial certificate for the secure websites that I publish via my ISA 2004 box.

I currently have published:
exchange.domain.com [with internal CA cerificate]
intranet.domain.com [sharepoint, with internal CS certificate]
extranet.domain.com [IIS, with internal CS certificate]

I would like to get a commerical certificate so users don't have to install the CA certificate to get rid of the warning box when visiting the sites.
HOWEVER I was wondering whether I could just buy a wild card certificate with the common name *.domain.com which I could install on the ISA and all 3 webservers - to save money.

I think I can do this but I think have to upgrade to ISA 2006, is that correct?
I would also like to do Single Sign-On, so I guess ISA 2006 is a must.

But anyway, can I use the wildcare certificate as described?

Thanks in advance,
Stuart

Post #: 1

Featured Links*

RE: Using commercial Wildcard certificate for published... - 14.Dec.2006 7:23:50 PM

Jason Jones

Posts: 2254
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Yep, no problem using a wildcard. I tend to use them for customers who are looking at publishing more than 5 web services (as this is the common break-even point financially)

ISA2k4 is able to use wildcard on its web listeners, but cannot publish a server that is configured with a wildcard cert. ISA2k6 has solved this issue being separating the "to" and the "connect" elements to support wildcard certs on the published server.

It is worth noting that you only need certs from a public CA on the ISA servers, as the certs on the webservers will only be accessed by ISA and hence can be issued by an internal CA. Therefore, you only really need to buy one wildcard cert and put this on ISA - you wont even need to upgrade ISA for this to work.

Be aware that most public certs are licensed "per server" hence you will need to buy a cert for each server - in your case 4 wildcard certs if you go the complete public CA route. You *can* technically export certs, but is is again the license agreements. Therefore in your case, it may actually be cheaper to get one wildcard and stick with internal CA certs for the webservers.

Yep, you would need ISA2k6 for single-sign on...it is also worth noting that single sign on only works if your publishing use the same shared listener. E.g. single sign on cannot be shared amongst several web listeners. This is a shame and can make things painful!

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to BrowSW)

Post #: 2

RE: Using commercial Wildcard certificate for published... - 17.Dec.2006 10:23:09 PM

JoF

Posts: 1
Joined: 17.Dec.2006
Status: offline

Hi, we will be implementing the exact scenario below but we will be using ISA 2006. We are in the process of checking cost effective wildcard certificate providers. Can you suggest at least three? As I have browsed the net, I come up with the below candidates:

Digicert $449
http://www.digicert.com/wildcard-ssl-certificates.htm

InstantSSL $449 - one year

http://www.instantssl.com/ssl-certificate-products/addsupport/wildcard-ssl-premiumssl_wildcard.html

geotrust from SSL.com - 2 years $674

http://www.ssl.com/pc-65-25-geotrust-true-businessid-wildcard-certificate.aspx

Can you help me choose a provider that can be trusted? any suggestion? We could not make Verisign and Thawte on the list as their offer for wildcard certificate is too expensive.

Can I also ask others what wildcard certificate do they use?

Please help. Thanks!

:-)

(in reply to BrowSW)

Post #: 3

RE: Using commercial Wildcard certificate for published... - 18.Dec.2006 6:25:03 AM

Jason Jones

Posts: 2254
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

I only ever use GeoTrust certs and work for a solution provider that provides GeoTrust certs for customers (eg. we are a GeoTrust partner).

GeoTrust are a fanstatic CA with the key feature being that they issue the certs pretty much instantly which makes things MUCH easier for our customer depoyments. They also provided free cert re-issue which is amazingly handy during disaster recovery or when a customer loses their private key.

We have been a parter for several years now after moving from Verisign and I am still very happy with their service.

Very recommended!

JJ

< Message edited by Jason Jones -- 18.Dec.2006 6:26:40 AM >

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to JoF)

Post #: 4