I have multiple sites that need to have SSL certs installed on them but Amazon EC2 only allows one public IP. I can't use SNI since I need to support IE 7 and up. Is there a way I can have one instance with multiple domains each having SSLs?
Here is what I followed. I made a Private IP and another Elastic IP address that points to that private IP on the same Instance and followed these instructions
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/config-windows-multiple-ip.html
One way around this is to use a UCC Certificate which will validate multiple domains.
This is very simple to set up as you serve up the same certificate for every domain but there a couple of wrinkles that may or may not matter in your case:
The certificate "Issued To" information will only list the primary domain name. A user would have to view the detailed certificate information to see this - the browser will correctly show the current domain as "verified".
All of the domains are listed in the certificate, so if you do not want sites to appear 'connected' to each other, you should not use this type of certificate. Once again, the user would have to display the certificate details to notice this.
Related
I have 6 different micro services with an Azure Traffic Manager setup for each of them. The services are running in 3 different regions to improve their performance but I need to come up with the certificates for the Azure Traffic Manager.
I have seen that there are two options available in the Azure Portal: The Standard and the Wild Card. While the latter is much more expensive, I was wondering if the same SSL Certificate can be used in all my 6 services so in the end, I will save money.
All my sites are like this:
http://foo1.trafficmanager.net
http://foo2.trafficmanager.net
http://foo3.trafficmanager.net
http://foo4.trafficmanager.net
http://foo5.trafficmanager.net
http://foo6.trafficmanager.net
As you can see the, the domain is the same (I do not have any custom domain, just the by default trafficmanager.net), so I am wondering whether one certificate will be enough. I have not seen any information about the wildcard certificate and it is pretty expensive to just give it a try...
Also, is there any security concern if I use the same certificate for all the sites? Is there a best practice recommendation? 1 certificate per site vs. 1 certificate for multiple sites.
Lastly, if I decide to use Custom Domains in the future, will I be able to reuse the issued certificate? (the domain will not be trafficmanager.net anymore)
Actually, a valid SSL certificate must match the access FQDN domain name. One Standard certificate only could be used for one FQDN domain name, such as "foo1.trafficmanager.net" while one WildCard certificate could be used for all like "*.trafficmanager.net" FQDN domain name, so usually we use the same WildCard certificate for all different services.
If you use Custom Domains in the future, you need to deploy new certificate to match the new Custom domain.
You can get more details about SSL Certificate Names
Aim:
I want to use free SSL certificate on Cloudflare on the website that is current hosted on Azure.
Background
A SSL certificate has been bought from Azure, but we found that we need to upgrade our subscription before able to bind it to our website. Hence, we decided to use Cloudflare free plan that also offers SSL. The domain provider that we use is godaddy.
Problem:
I have followed the instructions here, and now on the Cloudflare, I could see the status for SSL certificate as Active Certificate. However, when I enter the url as https://mywebsite (https), it says that This certificate is not valid (host name mismatch), which is shown on the screenshot below:
Questions
Why does the current SSL certificate points to .azurewebsites.net? Shouldn't it points to cloudflare, after changing the nameservers? What does it mean by host name mismatch?
Current status for SSL certificate on Cloudflare is Active Certificate, does it mean that it's verified and currently applied to the website?
Thank you very much!
You are correct, if it is configured properly it should display the correct certificate in your browser. Possible reasons that it doesn't show correctly: old certificate cached in browser, old nameservers cached, you're not using cloudflare for the appropriate DNS records.
1b. As for the host name mismatch, you typed in example.com and it returned a certificate for a different domain. This means that the data can still be encrypted during transmission but that you are probably not communicating with who you think you are.
Not necessarily. In the article that you link is a great diagram of this process (5th image). You are using Flexible SSL. In order for this to work your website needs to go to Cloudflare's servers first. You can have an active certificate but that doesn't mean that it's been applied to your website. Make sure that the domain and/or any subdomains are on cloudflare and that data is routed through Cloudflare's servers.
I am looking to move my websites from sitting on an Azure VM to being in an App Service.
In the App service there are several items in the Pricing I don't understand and cannot find answers too. Do you know what these items means?
"Up to 10 Instances" Auto Scale. Does this means I can host 10 apps on this plan, or that it will create new instances for my individual apps when under load? IE if my website google.com was being used a lot, would 10 instances of this website spin up?
5 SNI, 1IP - What on earth does this mean?
Thanks!
Tom
Auto Scale means that the Azure will automatically create instances or shutdown them, based on your website traffic. So your second example is correct.
5SNI (Server Name Indication) or 1IP, I'm just gonna explanation copy and paste from Azure documentation website (here) as I believe it's explained quite well:
IP based SSL associates a certificate with a domain name by mapping the dedicated public IP address of the server to the domain name. This requires each domain name (contoso.com, fabricam.com, etc.) associated with your service to have a dedicated IP address. This is the traditional method of associating SSL certificates with a web server.
SNI based SSL is an extension to SSL and Transport Layer Security (TLS) that allows multiple domains to share the same IP address, with separate security certificates for each domain. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI, however older browsers may not support SNI. For more information on SNI, see the Server Name Indication article on Wikipedia.
I have one website configured for Windows Server 2012 IIS 8. This one website can be accessed by xyz.com or abc.com (2 different top level domain names). Is it possible to configure SSLs for both?
Yes. You can configure two different domains with two different certificates for the same IP and port no(443). After providing the domain name in Binding, enable check box Require Server Name Identification(IIS8). If you do not enable this check box, two websites will have the same single certificate, if you change one website binding file, it will reflect in other website also.. I have experienced.
Please refer below link.
http://www.orcsweb.com/blog/fred/host-different-ssls-on-one-ip-with-iis-8-sni/
As Windows Azure web site is powered by IIS, you can see from the offerings that it is possible to bind multiple SSL to a single site,
http://azure.microsoft.com/en-us/pricing/details/web-sites/#web-sites
The trick is to use SNI,
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
Yes you can add multiple https bindings each with their own separate ssl certificate to the same site in IIS. However you'll want to bind them to separate IP addresses so that the certificate for xyz.com is bound using the IP address for xyz.com, and the certificate for abc.com is bound using the IP address for abc.com. But frankly, it'd be better practice to have one redirect to the other, or just make 2 sites in IIS and keep everything separate.
I was asked to create a sharepoint web application with ssl on a server with sharepoint 2010 installed. The problem is that this port seems to be in use for hosting our subversion repository. So when i try to browse my sharepoint site, it just shows a page with my repository. I've read about installing certificates and configuring multiple sites on one port with host headers but i never succeeded to complete this job. I would really appreciate some help here.
Thanks!
Assuming you're talking about individual SSL certificates (as opposed to a single wildcard certificate), I believe each website HAS to have its own IP address. AFAIK it is not possible to run multiple websites with multiple SSL certificates under the same IP address.
Depending on who is hosting the server, you would need a new IP address to be allocated to the server, and then within IIS you use the new IP address against the hostheader of your new website. You should find that the certificate works correctly, if not then try removing the certificate from the website and re-allocating it.
You would only be able to use a wildcard certificate if the primary domains of the websites were the same (e.g. website1.mydomain.com and website2.mydomain.com).
Thomas,
I've run into a similar situation before where the requirements dictated that we use 1 ip address, but the domains will be different (eg. website1.com, somesite.org, website2.us).
You can achieve this by using a Unified Communications certificate with Subject Alternative names. Currently, Digicert offers a UC certificate that can achieve this, but some other CA's will not.
Essentially you will have 1 certificate bound to :443 on the same ip address. The big drawback to this is that if the cert goes down, all the sites SSL will not work.
You have to manually (via powershell) bind each domain to port 443 however, but the instructions are fairly simple.
Server Name Indication would be another way, but it's not even an option in IIS 6