Re: Web Certificate for IIS Server on SBS Domain

Thanks Eriq. Here's what I've done:

Before your reply, I actually ran across rapidssl myself, and have ordered
and installed the free 30-day certificate on my site. It works fine, of
course.

I just got off the phone with our application vendor, who was all set with
instructions to install Certificate Services. They are used to supporting
customers running workgroups or domains, but I doubt they run across SBS
domains very often. I explained what you'd told me about putting my
existing configuration at risk by installing Cert Services, and he said he
didn't know that. I've received the documentation he sent me and am
reviewing it.

If I can find a way to issue my own cert without risking my SBS setup, I'll
try it (only after imaging the servers in question, however!). I have 30
days to tinker with this, so I can always break down and buy the cert from
rapidssl if I can't or don't want to use a self-issued cert when the time
comes. Time-wise, I'm somewhat inclined to just use the rapidssl cert and
not bother with experimenting, so we'll see how much time I have to tinker
between now and when we go live. My vendor seemed dismayed at the recurring
cost of a 3rd-party cert, but it may pay for itself, esp at their low
prices. It has the added benefit of already being trusted.

Thanks again for all your great help.

Bryan








"Eriq Neale" <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2005091312260975249%eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>I use InstantSSL (ww.instantssl.com) for certs for my clients. $79.95 per
>year, and you can get a 30-day trial certificate to make sure it's going to
>do what you want. Others are using GoDaddy.com (or so I hear) with much the
>same success.
>
> Again, if you're just needing a cert to install on your web server to
> provide SSL connectivity for remote users, go with an external third-party
> provider (and yes, Verisign can be expensive, depending on what you want
> from them). When you add Certificate Services on an internal network, lots
> of internal communications will start using pieces provided by the Cert
> Server instead of the defaults from Server 2003, and when things blow up,
> they can blow up gloriously. In a larger environment where user
> certificates are needed and third party trust isn't a huge factor because
> everything is being handled internally, i'd definitely look at Certificate
> Services. In your case, I just dont' think it makes sense for you.
>
> HTH...
>
> -Eriq
>
> On 2005-09-13 11:39:17 -0500, "Bryan L"
> <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:
>
>> Eriq,
>>
>> Thanks for a great, comprehensive reply.
>>
>> You guessed correctly on everything:
>>
>> The public name of the IIS server is diferent than that used for RWW,
>> OWA, etc (in fact, I'm just using https://{SBSPublicIPViaNAT} for the SBS
>> tools, haven't even set up a name, although I may change that at some
>> point when I feel up to reinstalling the cert on all PocketPCs and
>> helping home users to do the same.)
>>
>> The IIS server has a dedicated DNS name/Public IP.
>>
>> It has only one LAN interface, and my firewall is configured with 1:1 NAT
>> for it. I just purchased the new static IP for it yesterday, in fact.
>>
>> I'm all for purchasing a 3rd party cert if it doesn't cost an arm and a
>> leg. I'm sure there are plenty of cert authorities out there that are
>> much more competitive than verisign, and I don't need a recognized cert
>> authority; my intent is simply to secure users' sessions with the server,
>> not provide 3rd-party verification of identity, since only my users will
>> be on the site. But I've had a hard time finding (via google) a decent
>> guide to inexpensive cert authorities. I'm finding companies, but how do
>> I know who's reliable/reputable?
>>
>> If I tried to install Cert Services in my SBS domain, what sort of
>> problems could I expect, and is there a way to avoid them?
>>
>> Thanks again for the great info Eriq.
>>
>> Bryan
>>
>>
>> "Eriq Neale" <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:2005091309302016807%eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>> On 2005-09-12 17:03:06 -0500, "Bryan L"
>>> <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:
>>>
>>>> I have configured a certificate on my SBS for use with RWW, OWA, OMA,
>>>> and RPC over HTTP. I've never had any trouble with it.
>>>>
>>>> I'm now setting up a web application on a new IIS server on my domain
>>>> and I want to secure all connections with a self-issued certificate,
>>>> since I want to give my users access to it across the internet. Since
>>>> the certificate and DNS names need to match, I presume I need to set up
>>>> another cert specifically for use by that server. I've set up 1:1 NAT
>>>> and a public DNS record for the server. I just have a few questions:
>>>>
>>>> I've never installed Certificate Services on the SBS because I haven't
>>>> needed to. Will that be necessary in order for the IIS server to
>>>> request a certificate of the SBS server?
>>>>
>>>> Will installing Certificate Services mess up my existing configuration
>>>> in any way?
>>>>
>>>> Do I need to install Certificate Services on the SBS, or can it be
>>>> installed on the IIS server? Would I get the same results either way,
>>>> and is there a best practice?
>>>>
>>>> Just looking to clearly understand my options, and the logical process
>>>> of what I need to do.
>>>>
>>>> Thanks in advance!
>>>>
>>>> Bryan
>>>
>>> Hey Brian - a couple of other questions for you:
>>>
>>> 1. Is the Public Name of the new IIS server the same or different from
>>> the name used to access RWW, OWA, etc?
>>> 2. If they are different (which seems to be the case in your message,
>>> but it's not exactly clear, hence question #!) are they both pointing to
>>> the same public IP address?
>>> 3. Is this new IIS server only on the internal network, or does it have
>>> a separate interface that connects to the public internet as well?
>>>
>>> To be perfectly honest, I would recommend that you avoid the use of
>>> Certificate Services on your internal network and if the second IIS
>>> server is as truly separate as it seems like it might be, go ahead and
>>> purchase a third-party certificate for that server and keep it
>>> independent of the self-signed certificate for the SBS server. Can you
>>> install and use Certificate Services to do what you are wanting?
>>> Absolutely. Is it going to cost more in time and headache than
>>> purchasing a third-party cert for your second website? Absolutely times
>>> 10. You have to realize that once you pur Certificate Services in an SBS
>>> environment, you don't want to pull it out, and it can in some cases
>>> interfere with traditional SBS certificate functions.
>>>
>>> Case in point - about two months ago, I set up a purchased certificate
>>> for a client. The total cost to the client was about one hour of my
>>> standard consulting rate. Only half of that cost went toward the
>>> purchase of the certiicate, and the other half represented the half hour
>>> of my time that it took me to set it up. If you're only trying to set up
>>> a single certificate for a single site, I cannot see the time value of
>>> setting up Certificate Services for that single server.
>>>
>>> If you were talking about putting together certs for multiple servers
>>> and/or multiple users, then you might look into it, but in this
>>> scenario, I think it would be more trouble than it's worth...
>>>
>
>
> --
> Eriq Neale - Small Business Specialist, MCSE, Mac Guru
> EON Consulting - www.eonconsulting.net
> Author of Microsoft Small Business Server 2003 Unleashed
> Need additional IT insight? E-mail "support at eonconsulting dot net"
>


.

Relevant Pages

  • Re: New Event Log Errors!
    ... Somehow along those lines I'd also installed the Certificate Authority ... Did you apply the last Server Pack for SBS Server? ... Please install Windows Support Tools on the win2k3 sp1 problematic ... Microsoft is providing this information only as a convenience to you: ...
    (microsoft.public.windows.server.sbs)
  • RE: IIS Key pairs (how to export an IIS 4.0 self-issued Root CA a nd import into new IIS 4.0 box)
    ... it prompts the user for what client cert they want to use to connect to the ... it issues client certificates to the end users. ... Step I - Installing the New Server ... Install NT SP 3 ONLY ...
    (Focus-Microsoft)
  • RE: Installing root certificate on PDA
    ... You can export the certificate from the server: ... Trusted Root Cert Auth tab> pick your server's cert from the list & click ... Install Cert on PDA: ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 certificate problem affecting Exchange
    ... And it needs to match the FQDN of the OWA server. ... They are fairly inexpensive, I personally prefer Go Daddy, and pay for themselves the first or second time you have to an manually install the private certs on each mobile device. ... certificate error, but the phones won't. ... a cert with SAN and installing it. ...
    (microsoft.public.exchange.admin)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)