[thelist] Quick SSL Cert Question

Rob Smith rob.smith at THERMON.com
Thu Jun 24 11:07:39 CDT 2004


Thank you Ken. This is what I was hoping to hear (read).

<tip type="Advanced Web Authoring - DWMX" author="Rob.Smith">
In the reports tab in DWMX, you can do many tasks that help bullet proof
your system. You can:
Validate your files,
Target Browsers,
Check your links,
Run Reports on various accessibility and functionality
 and much more.

You'd be amazed how much stuff you miss. 
</tip>

-----Original Message-----
From: Ken Schaefer [mailto:ken at adOpenStatic.com]
Sent: Wednesday, June 23, 2004 9:10 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Quick SSL Cert Question


Hi,

You can not allocate an SSL cert to a "subdomain". "this.domain.com" must be
a host, same with "that.domain.com". The only exception (sort of), is
wildcard SSL certs that match any host within a domain (but again, you still
need a host(s)).

Now, an SSL certificate has the DNS name of the host in question embedded in
it. the client browser checks that the hostname of the URL being requested
matches that embedded in the certificate (this is part of the identity
verification checks that certificates give you).

BUT, the Host: HTTP header is encrypted when transmitted from client to
server, so the server can not use it to determine which website the request
should be routed to.

So, the browser must request a FQDN (this.domain.com) BUT the Host: HTTP
header can not be used by the server to determine which website the request
can be routed to. So, the only things that can be used are IP address, and
Port number.

So, for each host, you need to have a unique IP Address + TCP Port Number
combination (host headers not allowed).

IIS will happily let you install multiple SSL certs for different websites
provided that they have a different valid identity (Port Number + IP address
only)

Cheers
Ken

----- Original Message ----- 
From: "Rob Smith" <rob.smith at THERMON.com>
To: "Thelist (E-mail)" <thelist at lists.evolt.org>
Sent: Thursday, June 24, 2004 2:05 AM
Subject: [thelist] Quick SSL Cert Question


: Hey gang,
:
: I got a new web server and am setting it up right now. We have purchased
two
: SSL certs for the various sites we host. Currently all sites are governed
by
: host headers and all IP's are unassigned during this testing phase. The
two
: sites in question are subdomains (i.e. this.domain.com and that.domain.com
:
: According to the SSL cert rules, you must have only one cert per domain
per
: server.
:
: Fact: Host headers and SSL certs do not communicate. However, static IP's
: and SSL certs do.
:
: (Deep breath) I just need someone to confirm, with their experience of
: working with Multiple SSL certs on the same box on the same domain with
: different subdomains, that you Can have two certs on the same domain, but
: different subdomain's, which have different IP addresses.
:
: Currently since all sites are unassigned, IIS 5 is only allowing me to
: install one and only one SSL Cert. IF the sites were given different IP
: addresses, then IIS 5 would allow me to install different SSL certs on
: different subdomains.
:
: A Big Texas Thank you in advance!
:
: Rob Smith

-- 
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 


More information about the thelist mailing list