Sharing SSL

[Jeremy]

I have a bunch of Web sites on a production server that is completely under
my administrative control. Each Web site has a login page. I want to use
HTTPS (ssl) for the login page only so that the user's credentials can be
secured in transmission. Standard stuff here.

My question:
I don't want to have to purchase a SSL certificate for each Web site. That
seems like a lot of money for the little that I want to be securing. I don't
want to cheat "The Man" so I hope I'm not asking for something unethical
here. Just wondering how I can use one SSL certificate and provide secure
authentication for all the Web sites on the server.

FWIW, this is a Windows 2003 Server (Standard Edition) on the Internet. .NET
Framework 1.1, and all sites are ASP.NET Web applications.

Thanks!

 

[John]

Hi,

1) You might not need to buy a certificate at all. If all the sites
you're dealing with are on an intranet or extranet you can set up your
own certificate authority and issue certificates from that:

http://support.microsoft.com/kb/q218445/

Because your certificate authority won't be recognised by your users'
browsers, they'll see a pop-up telling them the certificate authority
isn't trusted when they connect to the secure page. But if you can tell
them to ignore the pop-up and/or add your certificate authority to
their list of trusted authorities, then you don't really need to buy a
certificate from a 3rd party authority like Verisign. Of course, that
would only work if they trust you in the first place, e.g. if you all
work for the same company.

2) Or you could purchase a certificate for just one domain, have
everyone login through a page on that domain, then redirect them to
the other sites. You'd need to store session data in a database for
this to work.

HTH!

 

[Jim.G]

There might be another option. It seems to me that you can get a
single certificate from verisign that will serve multiple virtual
servers on the same box as long as they are have the same domain.
I've never gone throught the process, but I'm quite sure it is an
option.

 

[Julie]

Hello,

If you're looking for a less expensive certificate solution, I
recommend XRamp. I use XRamp web server certificates and have a
digital ID from them and the process was quick and inexpensive.

If each of your websites are a subdomain of one domain, you might
consider using a single wildcard certificate to secure all of the
subdomains. But even if you have separate domains for each website,
XRamp is much less expensive than paying for a name like Verisign and
you get the same product.

~Julie

 

[Jeremy]

XRamp is certainly cheaper than Verisign - thanks for the tip - they are
also not as cheap as GoDaddy.com for certificates.... I just got one for
$30/year after signing up also for a new domain name. You won't see that
price advertised (I didn't, anyway); but after I registered a new .com
domain name they allowed me to purchase "additional stuff" within the next
30 minutes at a huge discount. That's where I got the ssl for $30. Even if
you just go in and buy it outright (without the domain name first like I
did), they still beat XRamp by a bunch.

-HTH

 

[David Wang [Msft]]

http://blogs.msdn.com/david.wang/archive/2005/08/02/Free_SSL_on_IIS.aspx

SSL for Encryption is always free.

The security popup from browsers due to untrusted Server Certificate is a
matter of trust, and as I mention in the blog entry there are ways to
approach that problem.

There is also a nice discussion afterwards on the blog entry where several
alternatives came up.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
XRamp is certainly cheaper than Verisign - thanks for the tip - they are
also not as cheap as GoDaddy.com for certificates.... I just got one for
$30/year after signing up also for a new domain name. You won't see that
price advertised (I didn't, anyway); but after I registered a new .com
domain name they allowed me to purchase "additional stuff" within the next
30 minutes at a huge discount. That's where I got the ssl for $30. Even if
you just go in and buy it outright (without the domain name first like I
did), they still beat XRamp by a bunch.

-HTH