I have a website what is now at development state and can be accessed by IP in two ways: at internal company network site can be accessed by 198.162.0.10/WebSite and from Internet 212.19.10.50:1234/WebSite
When user goes to 212.19.10.50:1234 it's redirected by routing to 198.162.0.10 with 443 port for https.
How can I install server certificate in my case? I need to make it work without certificate issues both at internal and external network.
Is it possible to create 2 certificates for one site to make IIS select prober certificate in my case?
And what SAN inside certificates subject have to be for external network? External IP?
Answer
Although technically it's possible to set up IIS to support this, you won't be able to get SSL certificates for this kind of setup. I will explain later...
The important thing to remember with SSL is that it's the client's browser doing the validation of the certificate. So it's important what address the client's browser is using to connect to the server. This is the address (also called the common name
or CN) for which the certificate should be valid.
If you have clients that connect to the same website with two different host names (or IP addresses in this case) you must either have two certificates for the two host names or a multi-domain certificate. The latter is the easiest to set up but is also more expensive. But adding two certificates to one website is also not that hard. You only have to make sure that you have two separate IP addresses bind to the same website. Each SSL binding requires it's own IP address. Because the server is on an internal network I guess it's not that hard to add an extra IP address (e.g. 198.162.0.10
and 198.162.0.11
).
You install both certificates on the server in the regular way and then you go into bindings for the website. First you add the first IP address (e.g. 198.162.0.10
) that is used for accessing the server from the public internet. You select HTTPS as the protocol and then select the certificate which has the public host name / IP address as the common name. It doesn't matter that the hostname / IP address for the certificate doesn't match with the internal IP address. Again, the server does nothing with it, it's the client's browser validating the certificate.
Then you add the second IP address (e.g. 198.162.0.11
) which you use to access the server internally. Again you select HTTPS as protocol but this time you select the certificate which has the internal IP address (i.e. 198.162.0.11
) as a common name. And then you should be done.
But... although there are a few certificate authorities that will provide certificates for IP addresses, these must be public IP addresses and you must be able to prove that you are the owner of these IP addresses (e.g. RIPE records). They will however not provide certificates for private IP ranges (like 192.168.x.x). And that's what you need for this setup, so you are out of luck.
Two solutions: either make sure your website is accessible by it's public IP address from the inside network as well and get one certificate for that public IP address. Or make it accessible by the same host name from both the public IP address and the internal network. This host name can be mapped to an internal IP address for the internal network, that's not a problem, as long as the host name (= common name) is the same. After all, that's all the browser checks.
No comments:
Post a Comment