General discussion

Locked

Win2k IIS 5 - Install SSL Key on 2 Srvs?

By Jim Elliott ·
Trying to get two Win2K Adv Server machines to use an SSL key with a common hostname. (They'll be clustered.) What I've done is:
1. Use Internet Service Manager on one to create a CSR, and use that CSR with Thawte's web page to make a test certificate.
2. Use I.S.M. again on server1 to enable the cert.
3. Load the SSL Cert snapin in MMC, which doesn't show the cert!
4. Under I.S.M. again, view the Cert and "Copy to File" saving as PFX format.
5. Under MMC again, import this PFX file. OK, can see the cert now.
6. Under MMC on server2, import the same PFX file. Can see the cert.
7. Under ISM on server2, try to enable SSL using an "existing cert" but it doesn't list anything!
Getting similar results on several IIS5 machines, so I must be doing something wrong. Any help appreciated.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Win2k IIS 5 - Install SSL Key on 2 Srvs?

by Joseph Moore In reply to Win2k IIS 5 - Install SSL ...

There is a lot of documentation on Verisign's web site on certificates. Running the same certificate on multiple servers is frowned upon, according to them. You are supposed to buy multiple certificates for each clustered server you want to use the cert. The type of certificate you can get is slightly different from a normal single server certificate. You might want to do some more research on this from the web site.
As for forcing the same cert on multiple machines, I think the only way this can be done is if the machines themselves have the same machine name, as well as the same web site domain name.
So, say your two servers host www.testing.com in a cluster (with DNS round-robin handling things, I assume). Now, say the machines are both called (their NetBIOS machine names) \\WEBSERV1 and \\WEBSERV2.
If you run and have a certificate issued on \\WERBSERV1, I do not believe you will be able to import it on \\WEBSERV2 since the machine name is one of the things that gets put into the SSL certificate encryption. As I understand SSL certificates, they are machine-specific (unless you get the special certificates I mentioned at the beginning). Since both machines have different names, you will not be able to put the cert on the 2nd box.

hope this helps

Collapse -

Win2k IIS 5 - Install SSL Key on 2 Srvs?

by Joseph Moore In reply to Win2k IIS 5 - Install SSL ...

Do your own research on this. I could be wrong (it would not be the first time!!!!)

Collapse -

Win2k IIS 5 - Install SSL Key on 2 Srvs?

by Jim Elliott In reply to Win2k IIS 5 - Install SSL ...

Joseph,

Thanks for the suggestion. I'll check again on the Verisign site but I did not find anything there for my specific problem before.

Verisign does "frown" on using the same SSL certificate on multiple machines, but it is certainly possible. The only real restriction is that the common name which the certificate is issued to must match the hostname that the browser is trying to access. E.g. if I have a hostname "www.testing.com" and requests to that hostname are routed (by whatever means -- DNS round robin, hardware or software load balancing) to two web servers, it makes no difference what the servers think their own hostnames are. As long as they respond with an SSL certificate with a common name of "www.testing.com", the browser is happy. Since you can specify the common name for the certificate when you make the request, it can be something totally different than the machine name.

The procedure for setting up a certificate on multiple servers is described on Thawte's web site, and has worked for me before - you make the request on one server, install the resulting certificate on that server, then back up the cert and key to a file. You can then "import" the backup key and file onto the second server. The procedure seems to have changed on IIS 5, though, and I can't figure out what I'm doing wrong.

Hoping someone has run into this specific problem and can shed some light on how the procedure is different with two Win2K and IIS 5.0 servers.

Collapse -

Win2k IIS 5 - Install SSL Key on 2 Srvs?

by Jim Elliott In reply to Win2k IIS 5 - Install SSL ...

Ah, this seems to be have been my own problem.

Note to others - it seems to be important that when you load the SSL Certificate module in MMC, be sure to load it under the Local Computer account, rather than as a user, even an Administrator user.

Reading through the Thawte pages, I noticed I was doing this wrong. Seems that when I loaded a cert into MMC as a User, it would not be available to IIS. And certificates I installed via IIS wouldn't appear in the MMC snap-in if I used itwith a User account.

Once I tried again but using the Local Computer account in MMC, all works well. Duh.

Jim

Collapse -

Win2k IIS 5 - Install SSL Key on 2 Srvs?

by Jim Elliott In reply to Win2k IIS 5 - Install SSL ...

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums