Setting up HTTPS: Difference between revisions
m (→Bugs) |
No edit summary |
||
Line 66: | Line 66: | ||
SSL on both sites should now work! | SSL on both sites should now work! | ||
=== Best way to have multiple sites === | |||
Based on the above points, it is advisable to create a certificate on a local computer (with all the parameters as you would on the server) and export it to be imported on the server. | |||
Note not to create the certificate on the server if you follow this procedure. |
Revision as of 20:19, 8 November 2006
Creating a single HTTPS web site
Creating a site in IIS
In order to run on the same port number, IIS sites need either unique ip numbers (set in tcp/http *and* ssh/https settings) or different host header values.
Therefore either the ip number has to be one of the available ones provided to neosys by leaseweb etc. or the host header value must be set to clientname.hosts.neosys.com.
The port number for tcp/http should be the neosys standard arbitrary port of 8123, not port 80 in order to prevent access via standard http. We could use various almost arbitrary ports for http since they are going to blocked by tcp/ip filtering or a firewall but it is better to know that port 8123 is the only one since IIS insists on having some port open for http.
The https options are only available after running selfssl (see below) at least once on the server.
Install ssl/https on the site.
install selfssl.exe from Microsoft site then
C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:866651215 /p:4430 /n:CN=clientname.hosts.neosys.com
Microsoft (R) SelfSSL Version 1.0 Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 866651215 (Y/N)?y
The self signed certificate was successfully assigned to site 866651215.
/v:9999 means valid for 9999 days /s:866651215 is the site number in this case (site number is shown in IIS management screen) /p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443 /n:CN=clientname.hosts.neosys.com indicates the full domain name of the site
Testing access to the new https web site.
Make a subdomain clientname.hosts.neosys.com
https://clientname.hosts.neosys.com:4430/neosys
If you get certificate error:
- check that the selfsll /n:CN=clientname.hosts.neosys.com matches the domain name used in IE
- install the certificate into the client computer (double click the padlock, view certificates etc)
closing all internet explorer versions and restarting is necessary for installed certificates to become effective.
Creating multiple HTTPS web sites
= Update on certificates
The best way to add certificates, is to do the certificate on another systen/computer and export it. When you export it, copy and import it to the server.
- remember to have all the details as you would on the main server **
Bugs
SelfSSL allows only one website to have SSL at a time
IIS Diagnostics Toolkit which has fixed SelfSSL but doesnt allow full control http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx
Solution
Use buggy selfssl as follows:
- create certificate for site 1
- export the certificate to a pfx file (IIS->directory security->server certificate wizard)
- create certificate for site 2. First site's certificate should no longer work
- remove certificate from site 1
- import pfx from step 2 using same wizard
SSL on both sites should now work!
Best way to have multiple sites
Based on the above points, it is advisable to create a certificate on a local computer (with all the parameters as you would on the server) and export it to be imported on the server.
Note not to create the certificate on the server if you follow this procedure.