Re: Windows 2003 sbs : multiple webs & SSL

From: Erwin (ebuce_at_euronet.be)
Date: 09/12/04 

Date: Sun, 12 Sep 2004 03:47:58 +0200

Thanks Steve
I'll save your post to be used later. Indeed, as someone else replied, I
should first catch up with my reading on the server before doing anything .
Thanks anyway
Erwin
"Steve Bruce, mct" <steve@xmaslake.com> wrote in message
news:%23VcsQQFmEHA.3612@TK2MSFTNGP12.phx.gbl...
> Last question first. By installing the root certificate on the client
> computer there will be no warning saying "the certificate was issued by a
> certificate authoritiy that is not trusted by your computer"
>
> Plus It's kind of cool to allow your users to install the root certificate
> with the .asp page. SEE BELOW FOR THE SAMPLE PAGE
>
> Without the root cert installed, by accepting the warning they can go
> ahead
> and connect.
>
> The Default site will have to be your SSL site.
> Other sites will use host headers--Host headers are pretty easy to set up
> in
> IIS - If you start to create a new site, the wizard has a space for the
> host
> header like "stuff.com".
>
> Some firewalls can be used to read the HTTP HEADER instead of IIS. Like
> the
> Microsoft ISA Server. Then with multiple private IP's on your internal
> web
> server, the ISA server sends the request to the correct Private IP on the
> web server.
>
> ------------------------------------------------------------------------
> From Microsoft KB article that I save at one time - easy to adapt to your
> needs.
>
> RESOLUTION
>
> The steps below are used to install the root certificate into the client's
> browser. This eliminates the security message the next time you visit the
> site. Note that these steps will only work for Microsoft Internet Explorer
> browsers.
>
> NOTE: The requirement to install the Certificate Authority Certificate
> only
> exists with non-trusted CAs, such as Microsoft Certificate Server.
>
> During the default installation of Certificate Server, a shared folder is
> generated to store the root certificate file. The default location of this
> folder is C:\Certconfig. In this folder, locate the root certificate file.
> The default naming standard is as follows:
>
> servername.domain.com_name_of_certificate_server.crt
>
> If you cannot find the root certificate file, search your hard drives for
> all files that end in .crt. Double-click each .crt file that is returned
> in
> the search and view its details to confirm that its serial number is the
> same as the serial number of the root certificate that issued your Web
> server certificate.
>
> To view the serial number of your Web site's root certificate, securely
> browse to your Web site (that is, use the https:// protocol) and
> double-click the padlock icon in the lower right corner of your browser.
> Click the Certification Path tab and double-click the top certificate. The
> serial number of this certificate should match the root certificate that
> your search returned.
>
> Export the root certificate (.crt) file to a Base64 root certificate
> (.cer)
> file. To do this, follow these steps:
>
> In Windows Explorer, double-click the root certificate file.
>
> Click the Details tab and select Copy to file to start the Certificate
> Manager Export Wizard.
>
> On the second screen of the wizard select Base64, and on the third screen
> provide a path and file name for the certificate.
>
> NOTE: This is the file that you use in the sample ASP code that is
> provided
> in this article.
>
> Click Next and then click Finish.
>
> · · · · ·
>
> Modify line 11 of the following code to point to the Base64 root
> certificate
> file that you created in step 2.
>
> <HTML>
>
> <HEAD>
>
> <TITLE>Installing A Root Certificate</TITLE>
>
> <BR>Root Certificate Authority Installation
>
> <BR>
>
> <BR>
>
> <%@ LANGUAGE="VBScript"%>
>
> <%
>
> Set fs = CreateObject("Scripting.FileSystemObject")
>
> Set MyFile = fs.OpenTextFile("c:\caconfig\rootca.cer", 1)
>
> Output = ""
>
> Do While MyFile.AtEndOfStream <> true
>
> line = Chr(34) & MyFile.ReadLine & Chr(34)
>
> If MyFile.AtEndOfStream <> true then
>
> line = line & " & _" & Chr(10)
>
> End If
>
> Output = Output & line
>
> Loop
>
> MyFile.Close
>
> Set MyFile = Nothing
>
> Set fs = Nothing
>
> %>
>
> <SCRIPT language="VBSCRIPT">
>
> on error resume next
>
> Dim Str, CEnroll
>
> Set CEnroll = CreateObject("CEnroll.CEnroll.1")
>
> Str = <% Response.Write Output %>
>
> CEnroll.installPKCS7(Str)
>
> Set CEnroll = Nothing
>
> </SCRIPT>
>
> </HEAD>
>
> </HTML>
>
> Save the modified code as Rootinstall.asp to your Web site location. By
> default this is \Inetpub\Wwwroot.
>
> Browse to the Rootinstall.asp file from a client browser. If your root
> certificate is not already in the store, you are prompted to install it.
>
> Click OK. The certificate is automatically installed into the Trusted Root
> Store on the client browser.
>
> · · · · ·
>
>
>
>
>
> "Erwin" <ebuce@euronet.be> wrote in message
> news:eVlYt8DmEHA.3876@TK2MSFTNGP15.phx.gbl...
>> Steve,
>> thanks for your prompt answer !
>>
>> Let me recapitulate to see if I got it right :
>>
>> 1. Forgetting about SSL for a moment, you CAN have different websites on
>> 1
>> IP-address, using Host Headers, right ? (I don't know how to do that, but
> if
>> at least I know it's possible, I'll figure it out somehow)
>>
>> 2. SSL is only possible for 1 site. That's suits me fine, I don't need
>> SSL
>> for the other sites
>>
>> 3. Now about those certs, you mean that the user has to install those
> certs
>> on his computer ? I thought the client just had to accept the fact that
> SSL
>> is used (you know, the pop up windonw that comes up on which you have to
>> click "Accept" when you're installing a plug in to Internet Explorer);
>>
>> Could you let me know if I'm on the right track here ? Thanks
>> Erwin
>>
>> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
>> news:OfKEZqDmEHA.3900@TK2MSFTNGP10.phx.gbl...
>> > Yes you can issue your own certificates but it usually done when
>> > people
>> you
>> > know are going to be accessing the server, because you have to make
>> > arrangements for the installation of root certificate on their
>> > computer.
>> >
>> > There is a sample .asp page on the microsoft support site that you can
>> adapt
>> > for installing root certs on clients.
>> >
>> > this is what it looks like when adapted - takes a while to load because
>> you
>> > don't yet have the cert on your computer.
>> >
>> > https://mail.datacomintl.com/cert/
>> >
>> > Certificates for SSL have to be created to exactly match the url used
>> > to
>> get
>> > to the site. You can put different certificates on different web
>> > sites.
>> >
>> > To host multiple SSL sites on a server, you cannot use Host Headers to
>> > direct requests to the correct site because the Header cannot be read
>> > because it is encrupted.
>> >
>> > To support SSL with default port#s to one server you need an IP addres
> for
>> > each site.
>> >
>> >
>> > "Erwin" <ebuce@euronet.be> wrote in message
>> > news:uvR5xLDmEHA.3428@TK2MSFTNGP11.phx.gbl...
>> > > Hi,
>> > > being a newbie as far as W2003 SBS is concerned, I'm aware that the
>> > > following questions are probably asked a 1000 times before, but I
> can't
>> > get
>> > > a clear picture.
>> > >
>> > > Here it goes :
>> > >
>> > > 1. Is it possible on W2003 SBS to host multiple webs ? I would like
>> > > to
>> > have
>> > > www.abc.com and www.def.com to point to different virtual folders.
>> > > I know of the options :
>> > > a. get another IP address
>> > > b. use a different IP-port
>> > > c. use virtual folders (www.abc.com/abc and www.abc.com./def)
>> > > but they are all not quite what I need
>> > >
>> > > 2. For a virtual folder, I would need SSL. Is it possible in W2003
>> > > SBS
>> for
>> > > being your own CA ? I've read somewhere it is, but the article was
>> > > for
>> > > securing your WHOLE website, while I need only to secure a virtual
>> folder.
>> > >
>> > > Any help on this would greatly be appreciated !
>> > >
>> > > Erwin Bauwens
>> > >
>> > >
>> >
>> >
>>
>>
>
>

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: Configuring SBS2003 for OWA and RWW
    ... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ...
    (microsoft.public.windows.server.sbs)
  • Re: Configuring LDAP on Entourage 2004 OS X
    ... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ...
    (microsoft.public.windows.server.sbs)
  • Re: X.509 and ssh
    ... It is only necessary to distribute to clients, once, a ... single root certificate under which server hostkey certificates are ... certificate issued by a trusted party can access the server. ...
    (comp.security.ssh)