Re: Web Certificate for IIS Server on SBS Domain

From: Eriq Neale <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Sep 2005 17:26:09 GMT

I use InstantSSL (ww.instantssl.com) for certs for my clients. $79.95 per year, and you can get a 30-day trial certificate to make sure it's going to do what you want. Others are using GoDaddy.com (or so I hear) with much the same success.

Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider (and yes, Verisign can be expensive, depending on what you want from them). When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. In a larger environment where user certificates are needed and third party trust isn't a huge factor because everything is being handled internally, i'd definitely look at Certificate Services. In your case, I just dont' think it makes sense for you.

HTH...

-Eriq

On 2005-09-13 11:39:17 -0500, "Bryan L" <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:

Eriq,
Thanks for a great, comprehensive reply.
You guessed correctly on everything:
The public name of the IIS server is diferent than that used for RWW, OWA, etc (in fact, I'm just using https://{SBSPublicIPViaNAT} for the SBS tools, haven't even set up a name, although I may change that at some point when I feel up to reinstalling the cert on all PocketPCs and helping home users to do the same.)
The IIS server has a dedicated DNS name/Public IP.
It has only one LAN interface, and my firewall is configured with 1:1 NAT for it. I just purchased the new static IP for it yesterday, in fact.

I'm all for purchasing a 3rd party cert if it doesn't cost an arm and a leg. I'm sure there are plenty of cert authorities out there that are much more competitive than verisign, and I don't need a recognized cert authority; my intent is simply to secure users' sessions with the server, not provide 3rd-party verification of identity, since only my users will be on the site. But I've had a hard time finding (via google) a decent guide to inexpensive cert authorities. I'm finding companies, but how do I know who's reliable/reputable?

If I tried to install Cert Services in my SBS domain, what sort of problems could I expect, and is there a way to avoid them?
Thanks again for the great info Eriq.
Bryan
"Eriq Neale" <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2005091309302016807%eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 2005-09-12 17:03:06 -0500, "Bryan L" <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:
I have configured a certificate on my SBS for use with RWW, OWA, OMA, and RPC over HTTP. I've never had any trouble with it.

I'm now setting up a web application on a new IIS server on my domain and I want to secure all connections with a self-issued certificate, since I want to give my users access to it across the internet. Since the certificate and DNS names need to match, I presume I need to set up another cert specifically for use by that server. I've set up 1:1 NAT and a public DNS record for the server. I just have a few questions:

I've never installed Certificate Services on the SBS because I haven't needed to. Will that be necessary in order for the IIS server to request a certificate of the SBS server?

Will installing Certificate Services mess up my existing configuration in any way?

Do I need to install Certificate Services on the SBS, or can it be installed on the IIS server? Would I get the same results either way, and is there a best practice?

Just looking to clearly understand my options, and the logical process of what I need to do.
Thanks in advance!
Bryan
Hey Brian - a couple of other questions for you:
1. Is the Public Name of the new IIS server the same or different from the name used to access RWW, OWA, etc? 2. If they are different (which seems to be the case in your message, but it's not exactly clear, hence question #!) are they both pointing to the same public IP address? 3. Is this new IIS server only on the internal network, or does it have a separate interface that connects to the public internet as well?

To be perfectly honest, I would recommend that you avoid the use of Certificate Services on your internal network and if the second IIS server is as truly separate as it seems like it might be, go ahead and purchase a third-party certificate for that server and keep it independent of the self-signed certificate for the SBS server. Can you install and use Certificate Services to do what you are wanting? Absolutely. Is it going to cost more in time and headache than purchasing a third-party cert for your second website? Absolutely times 10. You have to realize that once you pur Certificate Services in an SBS environment, you don't want to pull it out, and it can in some cases interfere with traditional SBS certificate functions.

Case in point - about two months ago, I set up a purchased certificate for a client. The total cost to the client was about one hour of my standard consulting rate. Only half of that cost went toward the purchase of the certiicate, and the other half represented the half hour of my time that it took me to set it up. If you're only trying to set up a single certificate for a single site, I cannot see the time value of setting up Certificate Services for that single server.

If you were talking about putting together certs for multiple servers and/or multiple users, then you might look into it, but in this scenario, I think it would be more trouble than it's worth...

--
Eriq Neale - Small Business Specialist, MCSE, Mac Guru
EON Consulting - www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Need additional IT insight? E-mail "support at eonconsulting dot net"

Follow-Ups:
- Re: Web Certificate for IIS Server on SBS Domain
  - From: Bryan L

References:
- Re: Web Certificate for IIS Server on SBS Domain
  - From: Bryan L

Prev by Date: Re: Volume Shadow Copies
Next by Date: Re: Win2k licensing Question
Previous by thread: Re: Web Certificate for IIS Server on SBS Domain
Next by thread: Re: Web Certificate for IIS Server on SBS Domain
Index(es):
- Date
- Thread

Relevant Pages

Re: Terminal Services over a VPN
... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
(microsoft.public.windows.terminal_services)
Re: SBS 2003 Premium and Cert Services
... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
(microsoft.public.windows.server.sbs)
Re: Web Certificate for IIS Server on SBS Domain
... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
(microsoft.public.windows.server.sbs)
Re: Questions
... deployment tool and certificate services. ... we do have more convenient means to create server /client certificate ...
(microsoft.public.dotnet.framework.webservices)
Re: ADFS Token-signing Certs Not in Trusted Root Store
... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
(microsoft.public.windows.server.active_directory)