Host Headers and SSL

I am trying to understand the SSL issue i have. Please correct me if i am
wrong.
What i understand so far is that one SSL certification can only be given to
an
IP address once. That means i can never have two DNS using the same IP
address
having two SSL certifications tied to their DNS.

But on the other hand, i can either get one SSL certification for the 4
WebsiteX
using their common IP address, but that means their DNS names will not be
SSL
certified. Or, i can use 4 different IP addresses and have a different SSL
certification
for each WebsiteX.

Is there a difference between having an SSL certification for an IP address
or a DNS name? I am guessing the answer is yes, but i am not 100% sure.


Thank you Ken


 > Q2) Yes, you are correct, you can do that. An SSL connection uses the IP
 > address + TCP Port (port 80). Then, the SSL certificate's servername is
 > matched to the domain name that the user typed in. So, in your situation,
 > you can SSL enable a single website out of the 5 that you have (assuming
you
 > only have a single IP address). When you create your server-certificate
 > request, make sure you enter the DNS name of the website you want to SSL
 > enable.

  > > If i want to enable SSL for only 1 of the 4 WebsiteX sites, can i do
that?
  > > Or a DNS SSL can only work for 1 IP address when that IP address is
  > > not also being used by other DNS? Am i asking the question properly?<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Host Headers and SSL 

Hi,

I think you need to do some reading on how SSL works.

The connection between client and server is based on the IP address (so, if
I type in <a style='text-decoration: underline;' href="https://www.microsoft.com" target="_blank">https://www.microsoft.com</a>), then my client looks up the address of
<a style='text-decoration: underline;' href="http://www.microsoft.com" target="_blank">www.microsoft.com</a> in the DNS, and connects to that IP address.

SSL however requires certificates - in the certificate is the "server name".
For the browser to accept the certificate automatically, one of the key
criteria is that the *name* of the server I am connecting (in the address
bar of the browser) to matches the name of the server in the certificate. If
it doesn't, the browser will warn me.

So:
a) You can't use Host: headers when setting up SSL on your server. This is
because transmission of data from client to server is encrypted (including
the Host: header bit), so the Host: header can not be used by the server to
work out which website the user is trying to contact

b) The server certificate that you install on your webserver has a "server
name" embedded in it. You must install it into the website that has the
matching DNS name. Otherwise the browser will warn the user

c) If you want to run multiple SSL secured websites on a single machine,
then each website needs to have its own unique IP address (or needs to run
on different TCP ports, ie not port 443).

Some more information:
<a style='text-decoration: underline;' href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591</a>
Description of the Secure Sockets Layer (SSL) Handshake

<a style='text-decoration: underline;' href="http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf" target="_blank">http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf</a>
Also has some information on how certificates/SSL work.

Cheers
Ken



"serge" <sergea.DeleteThis@nospam.ehmail.com> wrote in message
news:TSr4d.21681$pA.1461013@news20.bellglobal.com...
 >I am trying to understand the SSL issue i have. Please correct me if i am
 > wrong.
 > What i understand so far is that one SSL certification can only be given
 > to
 > an
 > IP address once. That means i can never have two DNS using the same IP
 > address
 > having two SSL certifications tied to their DNS.
 >
 > But on the other hand, i can either get one SSL certification for the 4
 > WebsiteX
 > using their common IP address, but that means their DNS names will not be
 > SSL
 > certified. Or, i can use 4 different IP addresses and have a different SSL
 > certification
 > for each WebsiteX.
 >
 > Is there a difference between having an SSL certification for an IP
 > address
 > or a DNS name? I am guessing the answer is yes, but i am not 100% sure.
 >
 >
 > Thank you Ken
 >
 >
  >> Q2) Yes, you are correct, you can do that. An SSL connection uses the IP
  >> address + TCP Port (port 80). Then, the SSL certificate's servername is
  >> matched to the domain name that the user typed in. So, in your situation,
  >> you can SSL enable a single website out of the 5 that you have (assuming
 > you
  >> only have a single IP address). When you create your server-certificate
  >> request, make sure you enter the DNS name of the website you want to SSL
  >> enable.
 >
   >> > If i want to enable SSL for only 1 of the 4 WebsiteX sites, can i do
 > that?
   >> > Or a DNS SSL can only work for 1 IP address when that IP address is
   >> > not also being used by other DNS? Am i asking the question properly?
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Host Headers and SSL 

Yes you are right, i need to do some reading on SSL.

Your current explanation was good though, it clarifies more things
but i need to read the links you provided.

Thanks again


"Ken Schaefer" <kenREMOVE.TakeThisOut@THISadOpenStatic.com> wrote in message
news:elzsYUSoEHA.132@TK2MSFTNGP14.phx.gbl...
 > Hi,
 >
 > I think you need to do some reading on how SSL works.
 >
 > The connection between client and server is based on the IP address (so,
if
 > I type in <a style='text-decoration: underline;' href="https://www.microsoft.com" target="_blank">https://www.microsoft.com</a>), then my client looks up the address
of
 > <a style='text-decoration: underline;' href="http://www.microsoft.com" target="_blank">www.microsoft.com</a> in the DNS, and connects to that IP address.
 >
 > SSL however requires certificates - in the certificate is the "server
name".
 > For the browser to accept the certificate automatically, one of the key
 > criteria is that the *name* of the server I am connecting (in the address
 > bar of the browser) to matches the name of the server in the certificate.
If
 > it doesn't, the browser will warn me.
 >
 > So:
 > a) You can't use Host: headers when setting up SSL on your server. This is
 > because transmission of data from client to server is encrypted (including
 > the Host: header bit), so the Host: header can not be used by the server
to
 > work out which website the user is trying to contact
 >
 > b) The server certificate that you install on your webserver has a "server
 > name" embedded in it. You must install it into the website that has the
 > matching DNS name. Otherwise the browser will warn the user
 >
 > c) If you want to run multiple SSL secured websites on a single machine,
 > then each website needs to have its own unique IP address (or needs to run
 > on different TCP ports, ie not port 443).
 >
 > Some more information:
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591</font" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591</font</a>>
 > Description of the Secure Sockets Layer (SSL) Handshake
 >
<font color=purple> > <a style='text-decoration: underline;' href="http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf</font" target="_blank">http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf</font</a>>
 > Also has some information on how certificates/SSL work.
 >
 > Cheers
 > Ken
 >
 >
 >
 > "serge" <sergea.TakeThisOut@nospam.ehmail.com> wrote in message
 > news:TSr4d.21681$pA.1461013@news20.bellglobal.com...
  > >I am trying to understand the SSL issue i have. Please correct me if i am
  > > wrong.
  > > What i understand so far is that one SSL certification can only be given
  > > to
  > > an
  > > IP address once. That means i can never have two DNS using the same IP
  > > address
  > > having two SSL certifications tied to their DNS.
  > >
  > > But on the other hand, i can either get one SSL certification for the 4
  > > WebsiteX
  > > using their common IP address, but that means their DNS names will not
be
  > > SSL
  > > certified. Or, i can use 4 different IP addresses and have a different
SSL
  > > certification
  > > for each WebsiteX.
  > >
  > > Is there a difference between having an SSL certification for an IP
  > > address
  > > or a DNS name? I am guessing the answer is yes, but i am not 100% sure.
  > >
  > >
  > > Thank you Ken
  > >
  > >
   > >> Q2) Yes, you are correct, you can do that. An SSL connection uses the
IP
   > >> address + TCP Port (port 80). Then, the SSL certificate's servername is
   > >> matched to the domain name that the user typed in. So, in your
situation,
   > >> you can SSL enable a single website out of the 5 that you have
(assuming
  > > you
   > >> only have a single IP address). When you create your server-certificate
   > >> request, make sure you enter the DNS name of the website you want to
SSL
   > >> enable.
  > >
   > >> > If i want to enable SSL for only 1 of the 4 WebsiteX sites, can i do
  > > that?
   > >> > Or a DNS SSL can only work for 1 IP address when that IP address is
   > >> > not also being used by other DNS? Am i asking the question properly?
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Host Headers and SSL