Re: ISA wildcard certificate

From: Bruno GUERPILLON (spam_at_gerpion.com)
Date: 08/19/04 

Date: Thu, 19 Aug 2004 09:52:49 +0200

Stefke wrote:
| Greetings,
|
| I'm having trouble to configure my setup with a wildcard SSL.
|
| Setup:
|
| 1 ISA server
| 1 webserver (hosting 3 websites)
|
|
| WEBSERVER FIREWALL (ISA)
|
|
| test1.domain.com cert CN = test1.domain.com |
| test2.domain.com cert CN = test2.domain.com | <- ISA: Cert CN =
| *.domain.com
| test3.domain.com cert CN = test3.domain.com |
|
| A) I use a public cert from THAWTE *.domain.com that I have bound to a
| weblistener on my ISA(I have 10 weblisteners)
| B) I have 3 websites (on 1 webserver)whom I have isssued each a
| certificate from my W2K subCA as drawn above. Connection is based on
| host headers.
| C) I created for each website a web publishing rule.
|
| Situation:
|
| Only 1 (test1.domain.com)website can be reached if I use the redirect
| SSL traffic as SSL requests
| The other 2 websites can only be reached when I use the redirect SSL
| traffic as HTTP option, when I use the redirect SSL traffic as SSL
| requests option I get the famous:
|
| 500 Internal Server Error - The target principal name is incorrect.
| (-2146893022)
| Internet Security and Acceleration Server
|
| Have I forgotten something ??
|
| Txs for the feedback,
|
| Stefan

Hi Stefan

Here are the concepts of SSL-to-SSL

The subject of the certificate presented to the webclient from ISA MUST be
the URL typed by the webclient
The subject of the certificate presented to the ISA server from IIS MUST be
the URL given by ISA Server

So, your wildcard certificate is really ok (*.domain.com)

Now, in your publishing rule (bridgind set to SSL to SSL by default),
redirect to the IIS and type the name of the certificate hosted by the IIS.

500 Internal Server Error - The target principal name is incorrect. comes
because IIS show a certificate that doesnt match the name asked by ISA
itself.

I hope u could understand my english and my answer will help.

Regards 

-- 
Tenez nous au courant
cordialement,
Bruno GUERPILLON
http://isa.gerpion.com

Relevant Pages

  • Re: Cant get SSL to work locally
    ... SelfSSL just lowers the bar to enabling SSL on IIS (many people mistake ... needing Certificate Server or is just not possible "for free" with IIS). ... does not attempt to address the issue of trust. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Problem processing SSL certificate response.
    ... "Download SSL Diagnostics 1.1 from Microsoft.com and use it to diagnose ... Note that I am able to work around this by requesting/processing a request ... transfering the generated PFX into the certificate store on the IIS machine. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Switching from http to https
    ... the default website with SSL not enabled (using port 443) in the IIS. ... a certificate to the program. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cant create web applications
    ... I've managed to re create an autosigned certificate and assigned it to the web application from the IIS 7 manager (it was already created with SSL and has the link with https, I just modified the link to add the cert.), but when I try to access the site, after the certificate warning, I receive a 403-Forbidden error. ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: netsh error - 1312
    ... I can issue a cert from the certsrv and make it work but ONLY if I log in as ... "there is no particular SSL certificate that can only be used ... IIS wizard provide a very convenient GUI for us to generate request. ...
    (microsoft.public.dotnet.framework.webservices)
Quantcast