Re: Web Certificate for IIS Server on SBS Domain

• From: Eriq Neale <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 14 Sep 2005 00:26:20 GMT

Glad to be of help, though. :)

-Eriq

Thanks Eriq.  Here's what I've done:

Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. It works fine, of course.

I just got off the phone with our application vendor, who was all set with instructions to install Certificate Services. They are used to supporting customers running workgroups or domains, but I doubt they run across SBS domains very often. I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. I've received the documentation he sent me and am reviewing it.

If I can find a way to issue my own cert without risking my SBS setup, I'll try it (only after imaging the servers in question, however!). I have 30 days to tinker with this, so I can always break down and buy the cert from rapidssl if I can't or don't want to use a self-issued cert when the time comes. Time-wise, I'm somewhat inclined to just use the rapidssl cert and not bother with experimenting, so we'll see how much time I have to tinker between now and when we go live. My vendor seemed dismayed at the recurring cost of a 3rd-party cert, but it may pay for itself, esp at their low prices. It has the added benefit of already being trusted.

Thanks again for all your great help.

Bryan

"Eriq Neale" <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2005091312260975249%eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I use InstantSSL (ww.instantssl.com) for certs for my clients. $79.95 per year, and you can get a 30-day trial certificate to make sure it's going to do what you want. Others are using GoDaddy.com (or so I hear) with much the same success.

Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider (and yes, Verisign can be expensive, depending on what you want from them). When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. In a larger environment where user certificates are needed and third party trust isn't a huge factor because everything is being handled internally, i'd definitely look at Certificate Services. In your case, I just dont' think it makes sense for you.

HTH...

-Eriq

On 2005-09-13 11:39:17 -0500, "Bryan L" <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:

Eriq,

Thanks for a great, comprehensive reply.

You guessed correctly on everything:

The public name of the IIS server is diferent than that used for RWW, OWA, etc (in fact, I'm just using https://{SBSPublicIPViaNAT} for the SBS tools, haven't even set up a name, although I may change that at some point when I feel up to reinstalling the cert on all PocketPCs and helping home users to do the same.)

The IIS server has a dedicated DNS name/Public IP.

It has only one LAN interface, and my firewall is configured with 1:1 NAT for it. I just purchased the new static IP for it yesterday, in fact.

I'm all for purchasing a 3rd party cert if it doesn't cost an arm and a leg. I'm sure there are plenty of cert authorities out there that are much more competitive than verisign, and I don't need a recognized cert authority; my intent is simply to secure users' sessions with the server, not provide 3rd-party verification of identity, since only my users will be on the site. But I've had a hard time finding (via google) a decent guide to inexpensive cert authorities. I'm finding companies, but how do I know who's reliable/reputable?

If I tried to install Cert Services in my SBS domain, what sort of problems could I expect, and is there a way to avoid them?

Thanks again for the great info Eriq.

Bryan

"Eriq Neale" <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2005091309302016807%eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On 2005-09-12 17:03:06 -0500, "Bryan L" <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:

I have configured a certificate on my SBS for use with RWW, OWA, OMA, and RPC over HTTP. I've never had any trouble with it.

I'm now setting up a web application on a new IIS server on my domain and I want to secure all connections with a self-issued certificate, since I want to give my users access to it across the internet. Since the certificate and DNS names need to match, I presume I need to set up another cert specifically for use by that server. I've set up 1:1 NAT and a public DNS record for the server. I just have a few questions:

I've never installed Certificate Services on the SBS because I haven't needed to. Will that be necessary in order for the IIS server to request a certificate of the SBS server?

Will installing Certificate Services mess up my existing configuration in any way?

Do I need to install Certificate Services on the SBS, or can it be installed on the IIS server? Would I get the same results either way, and is there a best practice?

Just looking to clearly understand my options, and the logical process of what I need to do.

Thanks in advance!

Bryan

Hey Brian - a couple of other questions for you:

1. Is the Public Name of the new IIS server the same or different from the name used to access RWW, OWA, etc?
2. If they are different (which seems to be the case in your message, but it's not exactly clear, hence question #!) are they both pointing to the same public IP address?
3. Is this new IIS server only on the internal network, or does it have a separate interface that connects to the public internet as well?

To be perfectly honest, I would recommend that you avoid the use of Certificate Services on your internal network and if the second IIS server is as truly separate as it seems like it might be, go ahead and purchase a third-party certificate for that server and keep it independent of the self-signed certificate for the SBS server. Can you install and use Certificate Services to do what you are wanting? Absolutely. Is it going to cost more in time and headache than purchasing a third-party cert for your second website? Absolutely times 10. You have to realize that once you pur Certificate Services in an SBS environment, you don't want to pull it out, and it can in some cases interfere with traditional SBS certificate functions.

Case in point - about two months ago, I set up a purchased certificate for a client. The total cost to the client was about one hour of my standard consulting rate. Only half of that cost went toward the purchase of the certiicate, and the other half represented the half hour of my time that it took me to set it up. If you're only trying to set up a single certificate for a single site, I cannot see the time value of setting up Certificate Services for that single server.

If you were talking about putting together certs for multiple servers and/or multiple users, then you might look into it, but in this scenario, I think it would be more trouble than it's worth...

--
Eriq Neale - Small Business Specialist, MCSE, Mac Guru
EON Consulting - www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Need additional IT insight? E-mail "support at eonconsulting dot net"

.

• References:
  • Re: Web Certificate for IIS Server on SBS Domain
    • From: Bryan L

• Prev by Date: Re: Serious domain problem
• Next by Date: RE: strange problem.......
• Previous by thread: Re: Web Certificate for IIS Server on SBS Domain
• Next by thread: Re: Web Certificate for IIS Server on SBS Domain
• Index(es):
  • Date
  • Thread

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint