Help with SSL on IIS with 2 domain names - Certifiate warning

Help with SSL on IIS with 2 domain names - Certifiate warning

am 16.03.2007 15:07:28 von gazlon

Hi,

I have installed a Thawte SSL and SGC certificate on my IIS server for
the following address:

www.heritageresp.com

We have also installed ISAPI_Rewrite to redirect our old address which
is pointing to the same box and has the same IP address:

www.heritagefunds.ca

When people goto the .ca site everything is fine but if the direcly
point to a secure page it comes up with the certifiate warning that
it's not the right domain name. (There is also a secure and non-secure
messaage but thats a different issue).

The following address will give you the certifiate warning and then
when you accept it will redirect to the proper site.

https://www.heritagefunds.ca/content/contest.asp

We want to change it so that it redirects before it check the security
on the page as its secure if you use the .com address.

Thanks for any help you may have!

Mike

Re: Help with SSL on IIS with 2 domain names - Certifiate warning

am 17.03.2007 06:23:37 von David Wang

URL-rewriting is not going to solve anything when it comes to SSL
because it happens after SSL negotiation has already completed, so you
cannot affect the SSL Certificate, which is what the browser is
complaining about. The solution involves either the SSL Certificate or
additional IP addresses. Either:
1. Install a SSL Certificate which names both heritageresp.com and
heritagefunds.com
2. Purchase a second IP so that www.heritageresp.com and
heritagefunds.ca are on different IP (so that you can HTTPS client
redirect)

Otherwise, what you are asking for is not possible because it would be
a security vulnerability. You are asking if you can transparently
redirect people who typed https://www.goodguy.com to https://www.badguy.com
without any certificate warning, and that is clearly not a good
idea...

If you are running Windows Server 2003 SP1, I recommend using SSL Host
Headers with a SSL Certificate that names both heritageresp.com and
heritagefunds.com . That is the simplest solution because it's just
one SSL Certificate on Windows Server 2003 SP1 and you are done.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Mar 16, 7:07 am, gaz...@gmail.com wrote:
> Hi,
>
> I have installed a Thawte SSL and SGC certificate on my IIS server for
> the following address:
>
> www.heritageresp.com
>
> We have also installed ISAPI_Rewrite to redirect our old address which
> is pointing to the same box and has the same IP address:
>
> www.heritagefunds.ca
>
> When people goto the .ca site everything is fine but if the direcly
> point to a secure page it comes up with the certifiate warning that
> it's not the right domain name. (There is also a secure and non-secure
> messaage but thats a different issue).
>
> The following address will give you the certifiate warning and then
> when you accept it will redirect to the proper site.
>
> https://www.heritagefunds.ca/content/contest.asp
>
> We want to change it so that it redirects before it check the security
> on the page as its secure if you use the .com address.
>
> Thanks for any help you may have!
>
> Mike