Question : Two different certificates in one domain

I have an SBS2003 and a citrix server. The customer has an IP pack of 8 addresses.
During the installation of SBS there is an automatic created certificate for OWA, mail.domain.be. If i want to create a new certificate, citrix.domain.be, what would be the best practice? Should I install the certificate services on the SBS server or on the citrix server? If I look at the automatic created certificate I see that it is issued to mail.domain.be and issued by mail.domain.be. I thought i've read somewhere that issued to and issued by should be the same for the certificate to work, so I need a certificate issued by citrix.domain.be issued to citrix.domain.be

Grts Filip

Answer : Two different certificates in one domain

Hi,

If the "issued to" and "issued by" fields are identical, this is called a self-signed certificate. It's not an obligation to have self-signed certificates to make things work... More than that, you should not use self-signed certificate for a server that must be reachable by anny person on a public network (Internet).

When you reach a HTTPS web site with your favorite Internet Browser (let say IE) from a computer, there are some conditions that must match to avoid security alerts about bad certificate :

1) The server part of the URL you used to reach the site must exactly match the common name of the certificate. As an example, is the certificate of the server is made with a common name "www.mysite.com", then the URL you used to reach the site must be something like HTTPS://www.mysite.com/....
2) The validity period of the certificate must not be over. A certificate is valid only until a precise date. After this date the certificate is not supposed to be still in use.
3) The certification authority that has issued the certificate MUST be known as a trusted authority by your computer. To do that, the root certificate of the certification authority that issued the certificate of the HTTPS server MUST be imported in the "trusted certification authority" container of your computer.

If any of these conditions is false, you'll have a security alert each time you reach the site with IE, forcing you to confirm the access to this site. Depending of the application, this security alert may be considered as an invalid situation and may fail to go ahead (I don't know if Citrix is really strict about certificet security alerts).


Windows computers are initially provided with the root certificates of a huge part of the public certification authorities (verisign, thawte, ...) so you don't have to download any root certificate when you reach HTTPS sites on Internet. This is because the certificates used by web sites on Internet have been bought and issued by well-known certification authorities and your computer alrady has their root certificates.


Ok... so in your case. In you NEED a certificate for a precise common name (citrix.domain.be) you have two choices:

1) Call Verisign, Thawte, or any other public certification authority to buy a certificate for the common name you choose, for HTTPS server authentication. As each certificate has an expiration date you'll have to pay a new certificate each time the old one expires. It's like a subscription and you'll habe to pay each year.
This is technically the easiest solution for a HTTPS site that must be reachable by anyone on Internet or by any computer on Internet, because you won't have to install root certificate on the computers as they already have the root certificates for almost all public certification authorities.

2) Install a private certification authority service on one of your servers (on Windows this service is called IAS). From the server that need the certificate, connect to the private certification authority page and fill the form for a certificate request (there's a lot of fields and you need some skills or procedure to fill the form correctly). On the CA console, accept the request and issue a certificate. Export the certificate with its private key to the server that needs it.
Also from the CA console, export the root certificate of the private CA.
On the HTTPS server that needs the certificate start by importing the root certificate of the private CA in the "trusted root certification authorities" container. Then import the certificate for your server in the "personal" container. Configure your application (as an example IIS) to use this certificate for encryption.
On the client computers, if you want to avoid a security alert and they reach the HTTPS server, you NEED to import the root certificate of the private certification authority in the "trusted root certification authorites" container.


As you can see, the first solution is easier but asks you to pay each year.
The second solution is free (as soon as you already have a Windows 2003 server somewhere you can install IAS on it with no charge, it's a part of the Windows components) but requires skills and operations on the clients computers.

Have a good day.
Random Solutions  
 
programming4us programming4us