So I am new to using SSL certs on websites and have some questions..
If I get a SSL cert I can use it on my main production web box and a clone failover box correct, I don't need to get two different PFX keys or pay for two?
I have two sites like this in IIS7.
a. www.kylesite.com
b. account.kylesite.com
They both need https but when I assign the SSL ceftificate in the http binding of the site it gives me this and I don't know what to make of it or if I can use this same cert for my main site and subdomain site..
1) Yes you can export to PFX (include the private key), and import into a new box.
2) You need a unique IP:PORT combo in order to bind IIS to an SSL certificate.
Related
I have a purchased a domain name from Google domains. I need to use this domain name for my site hosted in IIS. How to add my domain in IIS.
How to export my SSL certificate .pks file requied by IIS for importing SSL certificate.
Open your IIS manager, select your site, click Bindings… on the right, and click the Edit… button, then enter the domain name you purchased in the Host name blank box, and click OK.
To enable HTTPS on your web server, you need to obtain a certificate and bind it to your website.
You can try creating a self-signed certificate for testing.
Select the server node and select the IIS->Server Certificates feature
click Create Self-Signed Certificate to create a new certificate.
Then try adding the new binding to your site. In the Type box, choose https instead of http, then choose a certificate in the SSL certificate combo box. Save the settings and then you can try to access your website using https.
You will get a warning that the site is not secure, but you can force your site content. To remove the warning, bind to your site with a certificate from a trusted certificate authority.
You can refer to this document for more information.
To generate .crt certificate for your domain from Google domains use letsencrypt.
There are many menthos to generate I have used
Crypt-LE.
And generate the .pks file and add the SSL certificate to IIS.
So I have a certificate called azerwmetricp02.test2.com, and when I use this certificate for an HTTPS website where the Host Name is the same as the certificate URL, then I can access this website.
But now I want to add a second website to my IIS, which also use https, but I can't use the same URL azerwmetricp02.test2.com. Is there a way to use this certificate azerwmetricp02.test2.com but for two websites? let's say website1.azerwmetricp02.test2.com and website2.azerwmetricp02.test2.com?
I did try this guide, but it doesn't work, it just says that I have no access to any website: https://www.digicert.com/kb/ssl-support/ssl-host-headers-iis-8.htm
Is this even possible or do I need to get a second certificate so I have one per website hosted on the IIS?
I have just bought an SSL Certificate for my website from azure. when setting up a certificate under "Naked domain hostname" i entered the domain name WITHOUT "www".
Currently if i were to view my website with https://xyz.ca, it works just fine and it says it is secure, but if enter www.xyz.ca i do not see anything.
To atleast view the website with www.xyz.ca, i have removed HTTPS:// only request. However now this makes website un-secure.
Question
1. what will be the best way to make www.xyz.ca secure using the same certificate that i have bought?
2. if there is any other solution available, that will be fine too.
I am attaching some screenshots to understand better:
In fact a cert CAN support MANY domains. Now, whether this is something that you can add for free with the SSL provider you have chose is a different question. Certificate Subject Alternate Name(s) are what is used for this. For example the cert for this site allows stackexchange.com AND stackoverflow.com and a number of others and sub-domains too.
A valid SSL certificate must match the access FQDN domain name.
One Standard certificate only could be used for one FQDN domain name, such as www.xyz.ca while one WildCard certificate could be used for all like *.xyz.ca FQDN domain name, so usually we use the same WildCard certificate for all different services. More information about SSL Certificate Names
As the comment point it out, instead of buying one via the Azure Portal, you can get a free one via letsencrypt.org
Update
When you purchase an app service certificate in Azure for a root domain, by default, Azure supports hostname as a root domain name and www subdomain. You do not need to purchase another certificate. In this case, you already have two hostnames assigned to the site. You just bind the certificate for each. If you don't see the domain name(s) in the Hostname dropdown, try refreshing the browser page or change another browser.
I used to run one of my websites (EyeDentity.Online) from a Windows VM on Azure. I had an SSL Certificate in IIS up to run it and all was well in the world.
Since I moved the Website to the Azure App Service and installed the SSL Certificate in Azure whenever I go to the Website for the first time in a browser session it tells me that the certificate is invalid.
It appears to quote the standard AzureWebsites.NET even though my certificate is bound to my website
How can I get this warning to go away as it may be scaring away users!
Things to check:
You must be on Standard or Premium level to bind to cert
Check SSL bindings section of Custom Domains and SSL blade to make sure you've
bound the domain to the right cert.
The description of the problem sounds like number 2 here. If you haven't changed this, then it will bind by default to the azurewebsites cert and not yours.
Some docs here: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
Your cert is for azurewebsites.net and not EyeDentity.Online. You should get a wildcard cert for your domain name:
*.azurewebsites.net should be: *.eyedentity.online
ref: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/#1-get-an-ssl-certificate
"Before requesting an SSL certificate you must first determine which
domain names will be secured by the certificate. This will determine
what type of certificate you must obtain. If you just need to secure a
single domain name such as contoso.com or www.contoso.com a basic
certificate is sufficient. If you need to secure multiple domain
names, such as contoso.com, www.contoso.com, and mail.contoso.com,
then you can get a wildcard certificate, or a certificate with Subject
Alternate Name (subjectAltName)."
Our team has a Windows 2008 server which is used primary for a common IIS dev box.
I want to enable SSL on one of the websites on IIS, so that it can only be accessed via HTTPS.
I created a self-signing certificate in IIS and installed it. However when I access the website via the browser (Chrome, Firefox or IE - doesn't matter), it always gives the scary..."this is not secure" screen. I've tried installing the certificate on my own computer, rebooting and I still get that screen.
One thing that I noticed is when I create a self-signed certificate, it adds the domain name to it...for instance, the name of the box is webIIS and our login domain is COMPANYDOMAIN. So it will say that the certificate was created by webIIS.COMPANYDOMAIN.com. This url resolves to nothing, since there is no such thing.
Am I going about it the wrong way?
I've answered a similar question here.
Few afterwords:
Your server should have a dns name. If it is in a domain (Active directory or something) it surely does. Find it, use it in CN of the SSL certificate.
CA that will issue SSL certificate should be trusted by clients accessing the server and by the server itself. Place CA certificate in Trusted Root Store (in LocalMachine store) on the server and all clients that will access it. If you have Active Directory it should be pretty simple to distribute it.
CRL that CA has to issue in defined intervals (it's up to you if the CRL will be issued one a day, month, year or lifetime) has to be accessible by clients and server. Either place it at http url that you gave when issuing SSL certificate or manually place in each certificate store (in Trusted Root Store).