12

We have an app and the really long story short is that things have to be setup this way in order for the rest of the app not fail.

We have a domain

https://server01/AppNet

In IIS the 443 binding is setup to use a cert with:

CN=server02

When I hit the page for

https://server01/AppNet

I get a SSL warning

enter image description here

I found this article

https://superuser.com/questions/522123/how-do-i-get-my-browser-to-ignore-certificate-on-trusted-domain

But would like to avoid the part about:

"Unfortunately, it'll also stop the browser from complaining about address mismatches on every other site you visit, as well. That's less than ideal, but it's the kind of tradeoff you get to make when you use IE."

I have also followed the steps outlined below however still give error

Fix 1 – Install the Certificate

Right-click the “Internet Explorer” icon, then choose “Run as administrator“.

Visit the website, and choose the option to “Continue to this website (not recommended).”.

Click where it says “Certificate error” in the address bar, then choose “View certificates“.

Select “Install Certificate…“.

Select “Next“.

Select the “Place all certificates in the following store” option.

Select “Browse…“.

Choose “Trusted Root Certification Authorities“, then select “OK“.

Select “Yes” when prompted with the security warning.

Select “OK” on the “The import was successful” message

Select “OK” on the “Certificate” box.

This is only for internal network

Is there anything I can add to IIS?

Is there anything I can add to DNS?

Any other work arounds?

Community
  • 1
Anthony Fornito
  • 9,526
  • 1
  • 33
  • 122
  • Can you tell the user to access server2 URI ? that will allow you to simply add a server2's DNS entry pointing to server1 – yagmoth555 Jan 10 '17 at 20:55
  • Im not sure what you mean? Server2 URI? – Anthony Fornito Jan 10 '17 at 20:57
  • 2
    Can you elaborate on why it has to be set up in this obviously broken way, with a cert that does not match? It doesn't sound like a reasonable starting point. – Håkan Lindqvist Jan 10 '17 at 20:58
  • I know, server01 hosts an array of legacy applications that have to talk to external resources, those resources use have to user server01 for their ssl, The application is hosted on server01 however the domain name is redirect to server02 hosted on the same box, I do not get an ssl warning when going to server02/AppNet becasue the CN match, however when hitting Server01/AppNet I get the error becasue the CN mismatch, So in short what I would like to be able to do is ignore the error for that name / ssl, – Anthony Fornito Jan 10 '17 at 21:02
  • 1
    As for the quoted workaround included in the question, that's a workaround for a warning about an untrusted certificate. Not relevant to the different scenario of a certificate with the wrong subject name. – Håkan Lindqvist Jan 10 '17 at 21:02
  • @AnthonyFornito Why not either get an additional cert for server01 or a cert that matches both server01 and server02? – Håkan Lindqvist Jan 10 '17 at 21:05
  • Yes this was my first thought and maybe my only alternative, I was hoping to be able to figure out a workaround because the server owner is not in but If I dont find out anything today I will do this tomorrow and see if it works – Anthony Fornito Jan 10 '17 at 21:07

1 Answers1

14

If you have access to create your certificates for that server I suggest you create a certificate that includes alternate names that the server may be known as. In that way the browser will automatically resolve the correct name.

From https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/

SAN Certificate (Subject Alternative Name Certificate)

You can setup the wildcard certificate if the domain name for all the sites are same and first level subdomain changes. What if you want to set up the sites which should work on two different domain names, for example, a site with host header as www.testserver1.com and another site with hostheader as www.testserver2.com. In this case Wildcard certificate won’t help you. To resolve this issue we have SAN Certificate.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for myserver.com, and then add more SAN values to have the same certificate protect myserver.org, myserver.net and even myserver2.com or www.example.com.

You can see the domain names in the Subject Alternative Name option in the Certificate

sweetfa
  • 447
  • 4
  • 8
  • Yes this was my first thought and maybe my only alternative, I was hoping to be able to figure out a workaround because the server owner is not in but If I dont find out anything today I will do this tomorrow and see if it works. – Anthony Fornito Jan 10 '17 at 21:06
  • There is nothing you can do at your end except disable all hostname checking, which, as you have indicated, is not best practice. Some browsers allow you to permanently ignore this security check, but from memory IE does not provide this option – sweetfa Jan 10 '17 at 21:08