securing multiple websites using wildcard certificate - one IIS 6.0 server

My setup is as below -

Windows Server 2003 SP1

3 websites running in IIS 6.0
a.domain.com
b.domain.com
c.domain.com

internal IP 1.1.1.1
external ip 2.2.2.2
1-to-1 nat of 2.2.2.2 to 1.1.1.1 by firewall

currently all 3 websites are reachable from outside

What I want to do is enable SSL on all 3 sites. I realize I can do
this by obtaining a wildcard certificate *.domain.com.

questions I have -
1. since there are multiple websites, which one will request for SSL?
(generate CSR)
2. how can I install the certificate on the other 2 websites? do I
create a request from IIS and just import the certificate obtained from
step 1 or do I import/export?

I've installed single SSLs no problem but first time using wildcard and
it is somewhat confusing.

I know with SP1, we can now use a wildcard SLL on multiple websites
using host headers.

Thanks!

Re: securing multiple websites using wildcard certificate - one IIS 6.0 server

Use one virtual web with a unique IP and use the same IP for your DNS for
any/all hostnames. Then just install the wildcard cert on that virtual web.
At that point, you can add/remove any web name you want by adding/removing
hostnames in DNS. No additional configuration of the virtual web is
required because all it cares about is the IP and the primary domain name
for the cert.

On other note, your use of "website" is technically incorrect and has too
much "layaman's terms" to it.

You have three HOSTNAMES, a b c. WEBSITES in IIS mean a root folder with
files and virtual folders under it, an icon on the tree in the IIS
management tool. To which you may attach one or more hostname. You might
be able to install the same cert three times (once each on three virtual
webs), but unless there is a different file structure or something that
would be pointless.

I mention this because it appears to be causing extra confusion that may be
interfering with your ability to accurately think about your configuration.


"nix" wrote in message
news:1148316889.564726.277930@u72g2000cwu.googlegroups.com.. .
> My setup is as below -
>
> Windows Server 2003 SP1
>
> 3 websites running in IIS 6.0
> a.domain.com
> b.domain.com
> c.domain.com
>
> internal IP 1.1.1.1
> external ip 2.2.2.2
> 1-to-1 nat of 2.2.2.2 to 1.1.1.1 by firewall
>
> currently all 3 websites are reachable from outside
>
> What I want to do is enable SSL on all 3 sites. I realize I can do
> this by obtaining a wildcard certificate *.domain.com.
>
> questions I have -
> 1. since there are multiple websites, which one will request for SSL?
> (generate CSR)
> 2. how can I install the certificate on the other 2 websites? do I
> create a request from IIS and just import the certificate obtained from
> step 1 or do I import/export?
>
> I've installed single SSLs no problem but first time using wildcard and
> it is somewhat confusing.
>
> I know with SP1, we can now use a wildcard SLL on multiple websites
> using host headers.
>
> Thanks!
>

Re: securing multiple websites using wildcard certificate - one IIS 6.0 server

I do have three WEBSITES because they have different file structures.
One is a cgi enabled time sheet tracker using a SQL backend and another
is a asp and another is a Microsoft CRM frontend. Therefore I have
separate icons on the tree in IIS. Each of these WEBSITES have their
own unique host headers associated to it all under *.domain.com as I
mentioned.

Re: securing multiple websites using wildcard certificate - one IIS 6.0 server

"nix" wrote in message
news:1148323912.250579.112800@i39g2000cwa.googlegroups.com.. .
>I do have three WEBSITES because they have different file structures.
> One is a cgi enabled time sheet tracker using a SQL backend and another
> is a asp and another is a Microsoft CRM frontend. Therefore I have
> separate icons on the tree in IIS. Each of these WEBSITES have their
> own unique host headers associated to it all under *.domain.com as I
> mentioned.
>

Oh, well in that case you cant do what you want to do. Period. (Certs aside,
which I think will cause a problem...the same cert on separate machines is
do-able, but on the same machine I haven't heard of yet.)

SSL encrypts from the IP address to IP address of the client/server
connection, basically at the TCP/IP level. So it happens on a lower level
than host headers operate (which is done by examining the contents of
unencrypted packets), thus, the host header information is ENCRYPTED when
the server wants to examine it to get traffic on your single IP to the
proper one of your three webs.

The result, is IIS will send the user using SSL to the default web on the
IP, or just throw an error.

To use three virtual webs with SSL, you need three public IPs on the outside
of the router, and three non-public bound to your NIC on the server.
Period. No way around it.