+ Post New Thread
Results 1 to 10 of 10
Web Development Thread, SSL Certificates and internal hostnames in Coding and Web Development; I need to by a wildcard cert so that we can publish a few servers through MS TMG on a ...
  1. #1


    Join Date
    Oct 2006
    Posts
    3,387
    Thank Post
    183
    Thanked 350 Times in 279 Posts
    Rep Power
    147

    SSL Certificates and internal hostnames

    I need to by a wildcard cert so that we can publish a few servers through MS TMG on a single IP. I've never actually delt with certificates before other than self signed ones.

    We have a MS 2008 RDweb server called remote.internaldomain.internal (as it must be joined to the domain) which will have an external name of remote.externaldomain.com, and a debian/apache VLE/Moodle server called by its external name both internally and externally of vle.externaldomain.com.

    Will having the RDweb server with an internal hostname upset anything certificate wise? When I come to import the certificate on the 2 servers will it work? Will IIS turn round and say "this certificate isnt for my hostname"?


    Cheers
    Last edited by j17sparky; 20th October 2010 at 05:34 PM.

  2. #2


    Join Date
    Oct 2006
    Posts
    3,387
    Thank Post
    183
    Thanked 350 Times in 279 Posts
    Rep Power
    147
    Bumpy bump

  3. #3
    robk's Avatar
    Join Date
    Nov 2005
    Location
    Ashbourne
    Posts
    654
    Thank Post
    165
    Thanked 124 Times in 103 Posts
    Blog Entries
    1
    Rep Power
    47
    I don`t KNOW this, but isn`t a wildcard cert designed for the situation of *.domain.tld I suspect that the internal domain name could be an issue. Can you proxy the vle content on the TMG box and therefore use an external SSL dns name?

    You could then if needed use a self signed ssl cert for internal clients.

  4. #4


    Join Date
    Oct 2006
    Posts
    3,387
    Thank Post
    183
    Thanked 350 Times in 279 Posts
    Rep Power
    147
    I cant see the VLE being a problem as it is already named by its external address, plus you can name your web server to whatever you want in apache. Can you do this in IIS? I cant seem to find an option to do it. Bloody MS GUI crap, give me a plain text config file any day!

    Interally I dont really care tbh, infact i dont think ive even changed the link from http to https for the VLE.

  5. #5


    Join Date
    Oct 2006
    Posts
    3,387
    Thank Post
    183
    Thanked 350 Times in 279 Posts
    Rep Power
    147
    Bump bum

  6. #6
    penfold_99's Avatar
    Join Date
    Feb 2008
    Location
    East Sussex
    Posts
    896
    Thank Post
    54
    Thanked 152 Times in 105 Posts
    Rep Power
    65
    Quote Originally Posted by j17sparky View Post
    I need to by a wildcard cert so that we can publish a few servers through MS TMG on a single IP. I've never actually delt with certificates before other than self signed ones.

    We have a MS 2008 RDweb server called remote.internaldomain.internal (as it must be joined to the domain) which will have an external name of remote.externaldomain.com, and a debian/apache VLE/Moodle server called by its external name both internally and externally of vle.externaldomain.com.

    Will having the RDweb server with an internal hostname upset anything certificate wise? When I come to import the certificate on the 2 servers will it work? Will IIS turn round and say "this certificate isnt for my hostname"?


    Cheers
    The internal name of the RDweb server will break the certificate chain.

    The way we overcame it was
    • Install the wildcard SSL certificate on the RDWeb Sever
    • Get the RDWeb Server to use the certificate
    • Create an A record for remote.externaldomain.com with the IP of the RDWeb server
    • Edit the TMG Rule for RDWeb and when it asks for the computer name or IP to resolve enter remote.externaldomain.com


    This will keep the certificate chain intact.

  7. #7


    Join Date
    Oct 2006
    Posts
    3,387
    Thank Post
    183
    Thanked 350 Times in 279 Posts
    Rep Power
    147
    Quote Originally Posted by penfold_99 View Post
    The internal name of the RDweb server will break the certificate chain.

    The way we overcame it was
    • Install the wildcard SSL certificate on the RDWeb Sever
    • Get the RDWeb Server to use the certificate
    • Create an A record for remote.externaldomain.com with the IP of the RDWeb server
    • Edit the TMG Rule for RDWeb and when it asks for the computer name or IP to resolve enter remote.externaldomain.com


    This will keep the certificate chain intact.
    Are we talking internally here? So external should work?

    So even though the hostname will be remote.internaldomain.internal and the certificate is remote.externaldomain.com the certificate will install into IIS ok?


    Cheers
    Last edited by j17sparky; 21st October 2010 at 09:38 AM.

  8. #8
    penfold_99's Avatar
    Join Date
    Feb 2008
    Location
    East Sussex
    Posts
    896
    Thank Post
    54
    Thanked 152 Times in 105 Posts
    Rep Power
    65
    The certificate will install but you need to refer to the machine internal and external as remote.externaldomain.com so you don't get a certificate warning in IE etc

  9. #9


    Join Date
    Oct 2006
    Posts
    3,387
    Thank Post
    183
    Thanked 350 Times in 279 Posts
    Rep Power
    147
    Quote Originally Posted by penfold_99 View Post
    The certificate will install but you need to refer to the machine internal and external as remote.externaldomain.com so you don't get a certificate warning in IE etc
    Brill! Sorry if i didnt get my question accross very well

  10. #10
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,202
    Thank Post
    223
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    29
    So you'll want to create another domain within DNS on your boxes really called <external.domain.com> then add an entry in there for the internal ip address of the server remotemachine (Host A record) make sure all of the PCs internally use the external website name and it'll resolve with the internal ip address but will keep the SSL Cert from causing an error has the added benefit of the staff and students only needing to know the one address as well. We've had to do this with about 6 internal servers soon to be growing to 9 (I don't want to buy single SSL certs for all of these and of course I'm bound to add more later).


    Wes

SHARE:
+ Post New Thread

Similar Threads

  1. SSL certificates on an IP address
    By Jambo_C in forum How do you do....it?
    Replies: 0
    Last Post: 3rd September 2010, 08:46 AM
  2. ssl certificates
    By PEO in forum General Chat
    Replies: 4
    Last Post: 4th January 2008, 09:14 PM
  3. Creating SSL certificates.
    By Dos_Box in forum Windows
    Replies: 28
    Last Post: 11th November 2007, 09:22 PM
  4. Purchasing SSL Certificates
    By Dos_Box in forum Wireless Networks
    Replies: 3
    Last Post: 3rd January 2007, 03:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •