Skip to main content

Installing a Unified Communications SSL certificate in Microsoft IIS 6.0

Just another working day in Redmond

Being placed in the dire situation where my project has to go live and is being served by a Windows server that has no administrator I was forced to open up my RDP client and venture back in time to the days of dinosaurs and IIS.

Unified Communications SSL Certificates are pretty much the only solution I could find to allow a single installation of IIS to share a single certificate that is valid for multiple domains that don't conform to a wildcard.  Whew, what a mouthful.  In other words if you have the domains http://www.ihatemicrosoft.com , http://www.apacheisfree.com, and http://www.graphicalinterfacesareforpansies.com you can use a SSL single certificate to secure them by setting up Subject Alternate Names.

Getting them up and running was a cinch for me made only slightly more complicated by previous failed installation issues which I had to identify and undo.

Firstly if somebody else has tried to install the certificate and failed it's not a bother.  Just get the exact details that were used and rekey it (if the issuer allows this).  GoDaddy allowed me to instantly request a new certificate which I was quickly able to install onto the "master" domain (the one that is not a Subject Alternate Name). Thus I was working from a clean canvas, without incorrect or expired certificates lurking around.

I really don't feel like replicating the bazillions of articles written for Microsoft IIS 6.0 so I'll link to an article that is pretty useful and is on a site full of useful articles - How To Install a Certificate in IIS 6.0 .  I personally had to remove the old (expired) certificate and issue a new CRF but hopefully you won't have to go through all that.

Now that you have it installed for your master the next issue is to set up the SSL bindings, which is the clever bit and the whole point of using Subject Alternate Names.  Basically the issue with using the same IP and port (443) for different sites causes an issue with other sorts of certificates for obvious reasons.  However the Unified Communications SSL certificate is able to validate a number of domains quite happily, we just need to get IIS 6.0 to bind the SSL 443 ports correctly to the host names.

You have probably already noticed that you can't set host headers for SSL in the IIS manager.  That's okay, there is a DOS tool to do this.  For non-Linux people the this might be very very scary, but you need to just drop to a command prompt and do a few things.  Before you do that, however, click on the root node of your domain list to view a list of domains.  Make a note of the long number and host header values that identify the site(s) you want to add as Subject Alternate Names.

Now pop to a DOS prompt and follow the advice given at Digicert which helps you to configure the IIS 6.0 SSL host headers using a VB script.  Basically the important thing is to run the following command from c:\Inetpub\AdminScripts (assuming a default IIS installation):

cscript.exe adsutil.vbs set /w3svc/site identifier/SecureBindings ":443:host header"

If you get an error when browsing that refers to an Invalid Host Header just check that you have correctly matched the site identifier number to the hostheader in the command above and rerun with the correct values to fix it.  You may need to stop and start (why does IIS not have a restart option Steve Ballmer?)  to get everything happy.

Labels:

Comments

  1. SSL Cert News21 March 2012 at 06:21

    Nice Blog!

    Your Blog has really core information about USS SSL certificate installation at IIS 6.0. We were looking for installation process for Subject Alternate Names (SAN) and your blog helped us for the same. We appreciate your efforts and Thanks for sharing it on your blog.

    Thanks - Cheap EV SSL Certificate

    ReplyDelete
  2. Unknown23 March 2012 at 10:19

    it's really valuable information about SAN SSL Certificate which supports multiple domains using single server certificate. Thanks for sharing it with US!

    Cheap SSL | RapidSSL

    ReplyDelete
  3. Sarah Whitehead4 April 2012 at 15:18

    Even after reading endless articles, the intricacies of ssl certificates still seem to be incredibly confusing to me.

    ReplyDelete

Post a Comment

Popular posts from this blog

Separating business logic from persistence layer in Laravel

There are several reasons to separate business logic from your persistence layer.  Perhaps the biggest advantage is that the parts of your application which are unique are not coupled to how data are persisted.  This makes the code easier to port and maintain. I'm going to use Doctrine to replace the Eloquent ORM in Laravel.  A thorough comparison of the patterns is available  here . By using Doctrine I am also hoping to mitigate the risk of a major version upgrade on the underlying framework.  It can be expected for the ORM to change between major versions of a framework and upgrading to a new release can be quite costly. Another advantage to this approach is to limit the access that objects have to the database.  Unless a developer is aware of the business rules in place on an Eloquent model there is a chance they will mistakenly ignore them by calling the ActiveRecord save method directly. I'm not implementing the repository pattern in all its glory in this demo.  
Post a Comment
Read more

Fixing puppet "Exiting; no certificate found and waitforcert is disabled" error

While debugging and setting up Puppet I am still running the agent and master from CLI in --no-daemonize mode.  I kept getting an error on my agent - ""Exiting; no certificate found and waitforcert is disabled". The fix was quite simple and a little embarrassing.  Firstly I forgot to run my puppet master with root privileges which meant that it was unable to write incoming certificate requests to disk.  That's the embarrassing part and after I looked at my shell prompt and noticed this issue fixing it was quite simple. Firstly I got the puppet ssl path by running the command   puppet agent --configprint ssldir Then I removed that directory so that my agent no longer had any certificates or requests. On my master side I cleaned the old certificate by running  puppet cert clean --all  (this would remove all my agent certificates but for now I have just the one so its quicker than tagging it). I started my agent up with the command  puppet agent --test   whi
Post a Comment
Read more

Preventing Directory Traversal attacks in PHP

Directory traversal attacks occur when your program reads or writes a file where the name is based on some sort of input that can be maliciously tampered with.  When used in conjunction with log poisoning this can lead to an attacker gaining remote shell access to your server. At the most simple it could be to include a file like this: echo file_get_contents($_GET['sidebar']); The intention would be for you to be able to call your URL and send a parameter indicating which sidebar content you want to load... like this:  http://foo.bar/myfile.php?sidebar=adverts.html Which is really terrible practice and would not be done by any experienced developer. Another common place where directory traversal attacks can occur is in displaying content based on a database call. If you are reading from or writing to a file based on some input (like GET, POST, COOKIE, etc) then make sure that you remove paths .  The PHP function basename will strip out paths and make sure that y
Post a Comment
Read more