+ Post New Thread
Results 1 to 7 of 7
Home Access Plus+ Thread, HAP on CC4 server, and SSL certificates in Projects:; Hi, I'm after some advice about setting up HAP on a CC4 first server, and specifically the SSL certificates. With ...
  1. #1

    Join Date
    Sep 2010
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    HAP on CC4 server, and SSL certificates

    Hi,

    I'm after some advice about setting up HAP on a CC4 first server, and specifically the SSL certificates.

    With a standard CC4 FS, the "RM" website already exists, and is bound to TCP 443 - it's used for internal RM stuff (learning resources etc.), and makes use of a self issued SSL certificate.
    By adding the HAP content to "D:\RMNetwork\RMManage\Web Components\HAP\", the HAP website can then also use TCP 443. But, unless I'm missing something, that presents a problem with certificates - as you can only have 1 certificate bound to the "RM" website, you must either choose to:
    -Replace the existing one with the "proper" SSL one obtained from an online trusted CA (which secures "hap.domainname.co.uk" or similar for HAP access, but then will break learning resources),
    -Keep the existing self signed one (which keeps learning resources etc. working, but means the HAP website isn't secured).

    Have I missed something obvious, or is the above true, and if so, what do others do?

    Thanks in advanced for any assistance

  2. #2

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181
    -Replace the existing one with the "proper" SSL one obtained from an online trusted CA (which secures "hap.domainname.co.uk" or similar for HAP access, but then will break learning resources),
    You'd need a multiname SSL. This is what we've done. As long as you secure the server name, as well as hap.domainname.co.uk, then Learning Resources still works.

  3. #3

    Join Date
    Sep 2010
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Edu-IT View Post
    You'd need a multiname SSL. This is what we've done. As long as you secure the server name, as well as hap.domainname.co.uk, then Learning Resources still works.
    Thanks for the pointer. So to do it "properly", I need to create a CSR for a multiname SSL certificate, which includes the external FQDN (hap.domainname.co.uk), and the internal server name (SVR-001)? That being the case, 2 questions:

    1. How do you create a multiname CSR (the IIS7 GUI doesn't appear to give the option - only lets you specify one CN using the wizard)?
    2. Will a public CA provide an SSL certificate which also includes details of an internal server which they can't "verify"? I've read around a bit, and found the following document, which suggests they will, but only for a finite period of time - it seems the general stance on this is changing, and all public CAs won't be able to do this in the future:
    https://cabforum.org/Baseline_Requirements_V1.pdf

  4. #4

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181
    Quote Originally Posted by ashleyturner86 View Post
    Thanks for the pointer. So to do it "properly", I need to create a CSR for a multiname SSL certificate, which includes the external FQDN (hap.domainname.co.uk), and the internal server name (SVR-001)? That being the case, 2 questions:

    1. How do you create a multiname CSR (the IIS7 GUI doesn't appear to give the option - only lets you specify one CN using the wizard)?
    2. Will a public CA provide an SSL certificate which also includes details of an internal server which they can't "verify"? I've read around a bit, and found the following document, which suggests they will, but only for a finite period of time - it seems the general stance on this is changing, and all public CAs won't be able to do this in the future:
    https://cabforum.org/Baseline_Requirements_V1.pdf
    Just create the CSR in IIS7 for hap.yourdoman.co.uk. Then, submit this to the SSL provider and you'll just go in and then add the other domains. They will accept internal server names.

    I used GoDaddy.

    I think the thing that is changing is that the primary name (such as hap.mydomain.co.uk) must be able to be verified. You can't use an internal name such as server.schoolname.internal as the primary name on the SSL cert.

  5. #5
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,520
    Thank Post
    37
    Thanked 501 Times in 432 Posts
    Rep Power
    113
    For multi-name certs, if you run exchange it's easiest to use it to generate the csr

    e.g.
    Code:
    New-ExchangeCertificate -GenerateRequest -KeySize 4096 -SubjectName "c=GB, s=Powys, l=Crickhowell, o=Crickhowell High School, ou=IT, cn=schoolmail.crickhowell-hs.powys.sch.uk" -DomainName autodiscover.crickhowell-hs.powys.sch.uk, folders.crickhowell-hs.powys.sch.uk -PrivateKeyExportable $True
    https://www.digicert.com/easy-csr/exchange2010.htm

    You would import it back onto the exchange server, then use certmgr.msc to export it as a PFX with the private key and import it on the IIS server
    Last edited by nickbro; 19th October 2012 at 09:21 PM.

  6. #6

    Join Date
    Sep 2010
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi folks,

    I managed to generate a CSR using certmgr.msc, and specify the required SANs. However, upon submitting to my SSL provider (JANET - they provide free SSL certificates via Comodo for educational establishments), they've rejected it because of the internal SANs as I feared they would.

    Have others definitely done this, and obtained an SSL certificate for the external FQDN of the website, as well as having SANs for internal server names etc.? I don't have huge experience with SSL certificates, so I'm not sure if it's an issue with the provider I'm using, or if others would have the same stance.

    Thanks again,

  7. #7

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181

    HAP on CC4 server, and SSL certificates

    You won't be able to get them from Janet. Have to use GoDaddy or something.

SHARE:
+ Post New Thread

Similar Threads

  1. WDS on 1 server and DHCP on the other server problem!!
    By phillip_croxford in forum Windows Server 2008 R2
    Replies: 9
    Last Post: 13th August 2014, 12:52 AM
  2. IIS7 Configuration help and SSL Certificate help please!!!!
    By pcwise27 in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 21st August 2012, 09:24 AM
  3. [SIMS] Installing SIMS on CC4 Server
    By computerguy85 in forum MIS Systems
    Replies: 14
    Last Post: 6th July 2011, 11:14 AM
  4. SAS or SATA on ML115 server and QNAP
    By duxbuz in forum Hardware
    Replies: 3
    Last Post: 26th February 2010, 11:48 AM
  5. Comments on Dell servers and Switches
    By tosca925 in forum Hardware
    Replies: 13
    Last Post: 18th October 2006, 07:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •