Re: Windows 2003 sbs : multiple webs & SSL
From: Steve Bruce, mct (steve_at_xmaslake.com)
Date: 09/11/04
- Next message: SuperGumby [SBS MVP]: "Re: VSC is hanging server (and workstations)."
- Previous message: Gavin Steiner: "Re: logins"
- In reply to: Erwin: "Re: Windows 2003 sbs : multiple webs & SSL"
- Next in thread: Erwin: "Re: Windows 2003 sbs : multiple webs & SSL"
- Reply: Erwin: "Re: Windows 2003 sbs : multiple webs & SSL"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 11 Sep 2004 18:06:51 -0500
Last question first. By installing the root certificate on the client
computer there will be no warning saying "the certificate was issued by a
certificate authoritiy that is not trusted by your computer"
Plus It's kind of cool to allow your users to install the root certificate
with the .asp page. SEE BELOW FOR THE SAMPLE PAGE
Without the root cert installed, by accepting the warning they can go ahead
and connect.
The Default site will have to be your SSL site.
Other sites will use host headers--Host headers are pretty easy to set up in
IIS - If you start to create a new site, the wizard has a space for the host
header like "stuff.com".
Some firewalls can be used to read the HTTP HEADER instead of IIS. Like the
Microsoft ISA Server. Then with multiple private IP's on your internal web
server, the ISA server sends the request to the correct Private IP on the
web server.
------------------------------------------------------------------------
>From Microsoft KB article that I save at one time - easy to adapt to your
needs.
RESOLUTION
The steps below are used to install the root certificate into the client's
browser. This eliminates the security message the next time you visit the
site. Note that these steps will only work for Microsoft Internet Explorer
browsers.
NOTE: The requirement to install the Certificate Authority Certificate only
exists with non-trusted CAs, such as Microsoft Certificate Server.
During the default installation of Certificate Server, a shared folder is
generated to store the root certificate file. The default location of this
folder is C:\Certconfig. In this folder, locate the root certificate file.
The default naming standard is as follows:
servername.domain.com_name_of_certificate_server.crt
If you cannot find the root certificate file, search your hard drives for
all files that end in .crt. Double-click each .crt file that is returned in
the search and view its details to confirm that its serial number is the
same as the serial number of the root certificate that issued your Web
server certificate.
To view the serial number of your Web site's root certificate, securely
browse to your Web site (that is, use the https:// protocol) and
double-click the padlock icon in the lower right corner of your browser.
Click the Certification Path tab and double-click the top certificate. The
serial number of this certificate should match the root certificate that
your search returned.
Export the root certificate (.crt) file to a Base64 root certificate (.cer)
file. To do this, follow these steps:
In Windows Explorer, double-click the root certificate file.
Click the Details tab and select Copy to file to start the Certificate
Manager Export Wizard.
On the second screen of the wizard select Base64, and on the third screen
provide a path and file name for the certificate.
NOTE: This is the file that you use in the sample ASP code that is provided
in this article.
Click Next and then click Finish.
· · · · ·
Modify line 11 of the following code to point to the Base64 root certificate
file that you created in step 2.
<HTML>
<HEAD>
<TITLE>Installing A Root Certificate</TITLE>
<BR>Root Certificate Authority Installation
<BR>
<BR>
<%@ LANGUAGE="VBScript"%>
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set MyFile = fs.OpenTextFile("c:\caconfig\rootca.cer", 1)
Output = ""
Do While MyFile.AtEndOfStream <> true
line = Chr(34) & MyFile.ReadLine & Chr(34)
If MyFile.AtEndOfStream <> true then
line = line & " & _" & Chr(10)
End If
Output = Output & line
Loop
MyFile.Close
Set MyFile = Nothing
Set fs = Nothing
%>
<SCRIPT language="VBSCRIPT">
on error resume next
Dim Str, CEnroll
Set CEnroll = CreateObject("CEnroll.CEnroll.1")
Str = <% Response.Write Output %>
CEnroll.installPKCS7(Str)
Set CEnroll = Nothing
</SCRIPT>
</HEAD>
</HTML>
Save the modified code as Rootinstall.asp to your Web site location. By
default this is \Inetpub\Wwwroot.
Browse to the Rootinstall.asp file from a client browser. If your root
certificate is not already in the store, you are prompted to install it.
Click OK. The certificate is automatically installed into the Trusted Root
Store on the client browser.
· · · · ·
"Erwin" <ebuce@euronet.be> wrote in message
news:eVlYt8DmEHA.3876@TK2MSFTNGP15.phx.gbl...
> Steve,
> thanks for your prompt answer !
>
> Let me recapitulate to see if I got it right :
>
> 1. Forgetting about SSL for a moment, you CAN have different websites on 1
> IP-address, using Host Headers, right ? (I don't know how to do that, but
if
> at least I know it's possible, I'll figure it out somehow)
>
> 2. SSL is only possible for 1 site. That's suits me fine, I don't need SSL
> for the other sites
>
> 3. Now about those certs, you mean that the user has to install those
certs
> on his computer ? I thought the client just had to accept the fact that
SSL
> is used (you know, the pop up windonw that comes up on which you have to
> click "Accept" when you're installing a plug in to Internet Explorer);
>
> Could you let me know if I'm on the right track here ? Thanks
> Erwin
>
> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
> news:OfKEZqDmEHA.3900@TK2MSFTNGP10.phx.gbl...
> > Yes you can issue your own certificates but it usually done when people
> you
> > know are going to be accessing the server, because you have to make
> > arrangements for the installation of root certificate on their computer.
> >
> > There is a sample .asp page on the microsoft support site that you can
> adapt
> > for installing root certs on clients.
> >
> > this is what it looks like when adapted - takes a while to load because
> you
> > don't yet have the cert on your computer.
> >
> > https://mail.datacomintl.com/cert/
> >
> > Certificates for SSL have to be created to exactly match the url used to
> get
> > to the site. You can put different certificates on different web sites.
> >
> > To host multiple SSL sites on a server, you cannot use Host Headers to
> > direct requests to the correct site because the Header cannot be read
> > because it is encrupted.
> >
> > To support SSL with default port#s to one server you need an IP addres
for
> > each site.
> >
> >
> > "Erwin" <ebuce@euronet.be> wrote in message
> > news:uvR5xLDmEHA.3428@TK2MSFTNGP11.phx.gbl...
> > > Hi,
> > > being a newbie as far as W2003 SBS is concerned, I'm aware that the
> > > following questions are probably asked a 1000 times before, but I
can't
> > get
> > > a clear picture.
> > >
> > > Here it goes :
> > >
> > > 1. Is it possible on W2003 SBS to host multiple webs ? I would like to
> > have
> > > www.abc.com and www.def.com to point to different virtual folders.
> > > I know of the options :
> > > a. get another IP address
> > > b. use a different IP-port
> > > c. use virtual folders (www.abc.com/abc and www.abc.com./def)
> > > but they are all not quite what I need
> > >
> > > 2. For a virtual folder, I would need SSL. Is it possible in W2003 SBS
> for
> > > being your own CA ? I've read somewhere it is, but the article was for
> > > securing your WHOLE website, while I need only to secure a virtual
> folder.
> > >
> > > Any help on this would greatly be appreciated !
> > >
> > > Erwin Bauwens
> > >
> > >
> >
> >
>
>
- Next message: SuperGumby [SBS MVP]: "Re: VSC is hanging server (and workstations)."
- Previous message: Gavin Steiner: "Re: logins"
- In reply to: Erwin: "Re: Windows 2003 sbs : multiple webs & SSL"
- Next in thread: Erwin: "Re: Windows 2003 sbs : multiple webs & SSL"
- Reply: Erwin: "Re: Windows 2003 sbs : multiple webs & SSL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
