Re: Publishing issues with SubjectAltName SSL certs?

---

• From: "A. Klimkin" <nothanks>
• Date: Mon, 15 Jan 2007 12:20:54 +0300

---

Ben Hanson wrote:

We recently provisioned new SSL certs and our cert provider supports the SubjectAltName extension, which allows you to have two DNS FQDN's associated with the cert versus only one. For example if you have an internal IIS web site internal.internet.com and an external IIS web site external.internet.com, you would have to have a cert for each name...with SubjectAltName you can add both names to the one cert and use the same cert on both web sites for SSl connections.

Although these certs work fine internally with IIS as above, when I try to publish server external.internet.com using the cert internal.internet.com (which has a SubjectAltName of external.internet.com), I get an error 23403 in the Event Log:

ISA server could not establish an SSL connection with published server external.internet.com because the name on the SSL certificate used by the published server does not match the name of the server internal.internet.com, specified in the publishing rule.

Basically, it seems like ISA only looks at the name of the cert, which in this case does not match published server name, and does not recognize that the cert does have a SubjectAltName value that *does* match the published server name.

Has anyone run into this that can help me???

Have you ever had a chance to read these:

"Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004" - http://www.isaserver.org/tutorials/2004wildcardcert.html

"Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004" - http://www.microsoft.com/technet/isa/2004/maintain/wildcard.mspx

--
Regards,
Andrew
.

---

• References:
  • Publishing issues with SubjectAltName SSL certs?
    • From: Ben Hanson

• Prev by Date: Firewall Client Extremely Chatty
• Next by Date: Re: Integrated Authentication Fails Intermittently
• Previous by thread: Publishing issues with SubjectAltName SSL certs?
• Next by thread: Re: URGENT... FTP site not working
• Index(es):
  • Date
  • Thread

---

Relevant Pages Publishing issues with SubjectAltName SSL certs? ... We recently provisioned new SSL certs and our cert provider supports the ... ISA server could not establish an SSL connection with published server ... (microsoft.public.isa.configuration) Publishing issues with SubjectAltName SSL certs? ... We recently provisioned new SSL certs and our cert provider supports the ... ISA server could not establish an SSL connection with published server ... (microsoft.public.isa) RE: remote web access not working after windows update ... problem that is exibitiing some similar behavior. ... getting to the point where the IE client is prompted for the cert. ... I've also verified that there is no IP restrictions on any of the web sites ... apply the 42 or so critical updates and all web based access stopped. ... (microsoft.public.windows.server.sbs) Re: SSL and multiple websites ... Actually, I believe it is one cert per name, not IP. ... may be able to purchase certs now for wildcards such as *.companyname.com, ... It is true that host headers do not work with SSL, but you can still use one ... cert to host multiple web sites, as long as the name is the same or includes ... (microsoft.public.inetserver.iis.security) Re: Migrate SSL Cert From IIS5 to ISS6? ... Do you have multiple web sites? ... If so, how many require SSL? ... > Once I install the cert on the IIS server the associated website stopps ... > The cert was given to me by a knowledgeable web hosting company, ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)