Securing IIS with SelfSSL.exe when Multiple Common Names are required

Sometimes, you don’t find it in writing

BASICS: Server Certificates are used to secure network traffic by encrypting the packets. This encryption can be achieved in a variety of ways. RSA Certificates are one of these ways.

Common Names for RSA Server Certificates are used to identify the name of a Certificate to a User and their browser (Firefox, IE, Safari, etc…). This name helps the browser match a site with it’s correspondingly named certificate. If the names don’t match, the browser throws a warning message.

Certificate names generally match the Domain name or IP address of the site. Example: http://www.wigital.net uses a Common Name in the certificate of www.wigital.net.

Some websites have multiple identities (more than one name). When working with content published to these sites across different networks (intranet, extranet, internet, etc…), there can be a need to *name* a site differently for one network then it is named for another.

EXAMPLE: One set of people might need access to a site with a local network name of (http://privatestuff.local) and another set of people might need access to the same site over the InterNetwork at (http://everybodystuff.com). In this example, different access permissions would be applied depending on how you access.

Self signed certificate generation in IIS does not consider this need when you read the How To’s (aka. the manual). SO… LET’S MONKEY AROUND

You can create multiple Common Names for a selfssl.exe generated certificate using a comma seperated list. The default synatx for selfssl.exe is:

selfssl.exe /T /N:cn=everybodystuff.com /K:1024 /V:7 /S:1 /P:443

in this syntax N:cn=everybodystuff.com is the Common Name (cn). So the common name then is *everybodystuff.com*

Simply concatenating a series of common names (cn=???) seperated by commas will generate multiple common names for the certificate. Example:

selfssl.exe /T /N:cn=everybodystuff.com,cn=privatestuff.local /K:1024 /V:7 /S:1 /P:443

With this technique you can generate multiple common names in succession. There you go!

NOTE: This technique is not *commonly* yuk-yuk-yuk needed as most sites use a single name. However, if you do a lot of intranet work you may find it useful on a local network where access to resources varies based on subnet, DNS naming and permissions.

• Info on SelfSSL is availabe in the IIS Resource Kit at TechNet
• You can download the IISResKit here

Thanks for reading.

…. and, if you need services, contact WIGITAL about securing your network.

Think it’s time to start a study article on this subject.

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Security/DisableEnumerationofSIDs.html

http://support.microsoft.com/kb/243330

back later to add more