It is pretty straightforward:
If you don't want any warnings presented to the user with a certificate, you must:
1. Buy them from a trusted root authority, like (but not only) Verisign.
2. Have ONLY ONE certificate per IP address. This is what people new to PKI and SSL have problems with. There is no way round this, it is an integral part of the SSL/TLS standard. No Host Headers are sent until the encrypted channel has been established. You cannot sort sites by host headers with SSL.
3. The FQDN (DNS Name) of the site must match the CommonName on the certificate. Therefore a certificate for www.one.com will raise a warning to a user viewing www.two.com. They can, of course, choose to ignore that warning. The standard does allow for wildcard certificates, but they must share a domain.
Thus, one.domain.com and two.domain.com could both use a certificate for *.domain.com.
However, this would not be useable by host.three.domain.com, as it sits at a different level in the DNS hierarchy.
Your best option, if you need to do this is to get lots of public IP addresses, and a certificate for each domain, individually located on each IP address.
There is no way to implement SSL "on the cheap". It is a trust mechanism, and so you need:
a. to have that trust in place already (with people whose computers you control); or b. buy it in from somewhere else.
From: Melbourne, Victoria, Australia
Thanks for the great answer I am going to give you the top rating now...
Ok I am trying to undertand your answer:
Have ONLY ONE certificate per IP address. This is what people new to PKI and SSL have problems with. There is no way round this, it is an integral part of the SSL/TLS standard. No Host Headers are sent until the encrypted channel has been established. You cannot sort sites by host headers with SSL...
1. Please clarify : Is this synario possible can I host multiple sites off the "same ip address" and use a seperate SSL certificate for each?
If I read correctly this will not work because it is the same ip address.
2. If I am using SSL Bridging - do I have to imporort the same certificate as is on the web site on the web server.. Or can i get a different certiticate for the same FQDN?
3. If I using Microsoft Widows 2003 Certificate services - as a root CA. (I am not sure if I am using the correct terminology here) will external browsers (on the internet) trust this or will it generate an error saying it is an untrusted source?
Sorry I haven't been back to you earlier on this.
In response to your questions:
1. You are correct. You can have only one certificate per IP address. If you want more certificates, then you need more IP addresses. What happens is this:
a. You type in FQDN, which is resolved to IP address by a DNS server. b. The Browser contacts the server by IP address. The server responds with its certificate. This is the first (and therefore only) certificate for this IP address. c. The browser matches the subject DNS name on the certificate with the URL/FQDN that was requested. If they are not the same, then it raises a warning. d. If all is OK, then the browser will negotiate an encryption key with the server, and send the HTTP request - including the (Host) Headers - to the server. This is the first time that the server knows what site has been requested, which is why there is no way round it!
2. In a bridging scenario, you can use whatever certificate you like on the protected server - as long as: a. There is a trust path on the ISA server, ie ISA must trust the certificate itself, or the issuing CA, or any higher CA (your Win 2k one, for example); b. The Subject DNS Name matches that that the ISA server publishes to, otherwise you get the "Target Principal name is incorrect" error.
3. You will always get a warning from clients if you try and issue your own certificates, unless they also have a trust path for the certificate (as above).
This gives you two options: a. If you "control" all the clients, then put your CA certificate in their trusted root store. b. If not, then you can tell them that there going to get a warning, if you think they trust you enough (not recommended); or get a commercial certificate.