Multiple SSL License Problems

Thank you for the great explanation. I believe I was not clear. I
found Microsoft KB on how to configure server binding at:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library...S/596b9

In this article it mentions that

"With IIS 6.0 on Windows Server 2003 SP1, SSL for host header-based
sites is now supported."

The problem I have is that this procedure explains how to use the wild
card for multiple secure sites within the same domain so the the
certificate is generated for:

*.mycomany.com

And will work for

https://Site1.mycompany.com
https://Site2.mycompany.com

What I need to do is to have multiple domains such as:

https://domain1.com
https://domain2.com

There is got to be a work around since many web hosting company are
already doing it.

Thanks,
Mo
 >> Stay informed about: Multiple SSL License Problems 

David, you seem to be posting multiple replies on this matter and they seem
to contradict one another. On 2/9/2007 you wrote, "you do NOT need a
wildcard certificate to do SSL+Host headers wind IIS6 on WS03SP1, but it is
the easiest. You can use SelfSSL or SSLDiag 1.1 to generate and install SSL
certs that work for SSL+Host headers for free, assuming you can handle the
usual trust issue with certificates."

So what is it? Can IIS work with host headers + SSL or not. The type of
misinformation and disinformation you are generating is confusing the matter
more.

Mike


"David Wang" <w3.4you.RemoveThis@gmail.com> wrote in message
news:1175933642.508849.168340@q75g2000hsh.googlegroups.com...
> On Apr 6, 8:52 pm, "Mo" <le_mo....RemoveThis@yahoo.com> wrote:
>> Hi,
>>
>> I am running multiple sites under my IIS 6.0 I have two sites that
>> require SSL. When I add the second SSL certificate on port 443 I get a
>> port conflict. My router transfers all 443 call t o my IP address and
>> I assumed that host header name will take care of the routing (same as
>> port 80) but it does not. Any body knows what I am doing wrong?
>>
>> Thanks,
>> Mo
>
>
> This question has been discussed many times before on this newsgroup
> so I recommend searching and reading up on it.
>
> Please search this newsgroup as well as microsoft.com for information
> on how SSL and SSL+HostHeader work. What you are doing is most
> certainly failing by design because your assumptions are incorrect.
>
> People usually assume that SSL magically encrypts the right data and
> leaves HostHeader-based routing intact, but that is not the case. SSL
> encrypts at the TCP level for the entire TCP packet, including the
> entire HTTP request, which includes the HostHeader and entity body.
> This leads to a catch-22 because in order to route by HostHeader you
> have to decrypt the request packet to get the HostHeader, but in order
> to decrypt with the right SSL Server Certificate you need to know the
> HostHeader.
>
> If you cannot get a single SSL certificate that is valid for both
> sites, then you MUST run the websites with distinct IP addresses.
> There is no way around it.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
 >> Stay informed about: Multiple SSL License Problems 

The confusion is in what a wildcard certificate is.

1) You can now bind different different host headers requiring SSL to the
same IP address. This is clear.
2) But you must use a wildcard certificate, because at the time of directing
the request IIS does not know what the domain is, so they must all be valid
on the same certificate. This is clear.
3) Wildcard certificates by definition are for the same domain i.e
*.domain.com. If they were for domain1.com and domain2.com then the wildcard
would be *.com and you would be defeating the purpose of the certificate, to
validate the identity of the site. This is not stated, but is not an
MS-defined feature.
4) Wildcard certificates are expensive, unless self-certified. So on an
intranet you can use them freely, but they are of limited use on the
internet.

So the whole host-header with SSL thing depends on understanding wildcard
certificates.
Anthony
www.airdesk.co.uk





"Mo" <le_mo_mo.TakeThisOut@yahoo.com> wrote in message
news:1175948802.911194.162570@b75g2000hsg.googlegroups.com...
> Thank you for the great explanation. I believe I was not clear. I
> found Microsoft KB on how to configure server binding at:
>
> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library...S/596b9
>
> In this article it mentions that
>
> "With IIS 6.0 on Windows Server 2003 SP1, SSL for host header-based
> sites is now supported."
>
> The problem I have is that this procedure explains how to use the wild
> card for multiple secure sites within the same domain so the the
> certificate is generated for:
>
> *.mycomany.com
>
> And will work for
>
> https://Site1.mycompany.com
> https://Site2.mycompany.com
>
> What I need to do is to have multiple domains such as:
>
> https://domain1.com
> https://domain2.com
>
> There is got to be a work around since many web hosting company are
> already doing it.
>
> Thanks,
> Mo
>
 >> Stay informed about: Multiple SSL License Problems 

Anthony already posted the clarifications you require. I honestly do
not see any contradictions in what I said.

Maybe you are not aware of this, but I am forced to tailor the One
Truth to suit the user's requirements because most people just want
"answers" and not "learning". And for a topic like SSL+HostHeaders,
you certainly cannot apply the answers without a fundamental
understanding. I'm sorry that you see my responses as contradictory,
but I hope you realize that one cannot give the full learning and
connect the dots all the time because that is not what most people
want. Incidentally, this includes your own questions based on your
recent history.

If you want a better understanding of how something works, then you
need only ask nicely.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Apr 8, 8:13 pm, "Mike DiChiappari" <mdichiapp... DeleteThis @cardeatech.com>
wrote:
> David, you seem to be posting multiple replies on this matter and they seem
> to contradict one another. On 2/9/2007 you wrote, "you do NOT need a
> wildcard certificate to do SSL+Host headers wind IIS6 on WS03SP1, but it is
> the easiest. You can use SelfSSL or SSLDiag 1.1 to generate and install SSL
> certs that work for SSL+Host headers for free, assuming you can handle the
> usual trust issue with certificates."
>
> So what is it? Can IIS work with host headers + SSL or not. The type of
> misinformation and disinformation you are generating is confusing the matter
> more.
>
> Mike
>
> "David Wang" <w3.4... DeleteThis @gmail.com> wrote in message
>
> news:1175933642.508849.168340@q75g2000hsh.googlegroups.com...
>
>
>
> > On Apr 6, 8:52 pm, "Mo" <le_mo... DeleteThis @yahoo.com> wrote:
> >> Hi,
>
> >> I am running multiple sites under my IIS 6.0 I have two sites that
> >> require SSL. When I add the second SSL certificate on port 443 I get a
> >> port conflict. My router transfers all 443 call t o my IP address and
> >> I assumed that host header name will take care of the routing (same as
> >> port 80) but it does not. Any body knows what I am doing wrong?
>
> >> Thanks,
> >> Mo
>
> > This question has been discussed many times before on this newsgroup
> > so I recommend searching and reading up on it.
>
> > Please search this newsgroup as well as microsoft.com for information
> > on how SSL and SSL+HostHeader work. What you are doing is most
> > certainly failing by design because your assumptions are incorrect.
>
> > People usually assume that SSL magically encrypts the right data and
> > leaves HostHeader-based routing intact, but that is not the case. SSL
> > encrypts at the TCP level for the entire TCP packet, including the
> > entire HTTP request, which includes the HostHeader and entity body.
> > This leads to a catch-22 because in order to route by HostHeader you
> > have to decrypt the request packet to get the HostHeader, but in order
> > to decrypt with the right SSL Server Certificate you need to know the
> > HostHeader.
>
> > If you cannot get a single SSL certificate that is valid for both
> > sites, then you MUST run the websites with distinct IP addresses.
> > There is no way around it.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -
 >> Stay informed about: Multiple SSL License Problems 

Sorry to bring up this topic again. But I think many users (including
the original poster) must have the same thinking of why can't we do it
with multiple SSL certs instead of Wildcard cert?

I found many people responded to this type of question with just
telling them to use Wildcard cert and no explanation for the concept.
But their questions have nothing to do with wildcard and people don't
want wildcard. This is why they keep on asking the same question over
and over.

Mo, to answer your question for multi-domains on same IP:port thru
SSL, this is not feasible because the incoming request already binded
to IP:443 before the SSL decryption on server side. SSL encryption
happens on TCP level. This means https://domain1.com and https://domain2.com
will automatically goes to default port 443 because SSL host header is
still encrypted at this level. There is no way for IIS to figure out
which header to use so it has to pick the default "private key" (port
443) for decryption.

You can try to use different ports on the same IP for SSL. (https://
domain2.com:800) and bind different SSL certs to same IP but different
ports. This way SSL request will know which private key to decrypt the
entire thing.

Hopefully this will help you plan your settings.


On Apr 9, 1:36 am, "Anthony" <anthony.s....TakeThisOut@spammedout.com> wrote:
> The confusion is in what a wildcard certificate is.
>
> 1) You can now bind different different host headers requiringSSLto the
> same IP address. This is clear.
> 2) But you must use a wildcard certificate, because at the time of directing
> the request IIS does not know what the domain is, so they must all be valid
> on the same certificate. This is clear.
> 3) Wildcard certificates by definition are for the same domain i.e
> *.domain.com. If they were for domain1.com and domain2.com then the wildcard
> would be *.com and you would be defeating the purpose of the certificate, to
> validate the identity of the site. This is not stated, but is not an
> MS-defined feature.
> 4) Wildcard certificates are expensive, unless self-certified. So on an
> intranet you can use them freely, but they are of limited use on the
> internet.
>
> So the whole host-header withSSLthing depends on understanding wildcard
> certificates.
> Anthonywww.airdesk.co.uk
>
> "Mo" <le_mo....TakeThisOut@yahoo.com> wrote in message
>
> news:1175948802.911194.162570@b75g2000hsg.googlegroups.com...
>
> > Thank you for the great explanation. I believe I was not clear. I
> > found Microsoft KB on how to configure server binding at:
>
> >http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Librar...
>
> > In this article it mentions that
>
> > "With IIS 6.0 on Windows Server 2003 SP1,SSLfor host header-based
> > sites is now supported."
>
> > The problem I have is that this procedure explains how to use the wild
> > card formultiplesecure sites within the same domain so the the
> > certificate is generated for:
>
> > *.mycomany.com
>
> > And will work for
>
> >https://Site1.mycompany.com
> >https://Site2.mycompany.com
>
> > What I need to do is to havemultipledomains such as:
>
> >https://domain1.com
> >https://domain2.com
>
> > There is got to be a work around since many web hosting company are
> > already doing it.
>
> > Thanks,
> > Mo
 >> Stay informed about: Multiple SSL License Problems