In IIS7 if you want to add 2 or more web sites to the one web server using different domain name and different SSL certificates you need to assign more than one IP address to your server. Each website on IIS that you want to bind an SSL cert to must have its unique IP address.
Generating a Private Key and CSR for Linux Web Server
This is the instruction for generating a CSR on a apache web server
(Note: you need to be logged in a root for this process)
Openssl is used to generate an RSA Private Key and CSR file. You can also use it to generate self-signed certificates which can be used for testing or internal usage.
Openssl should be installed in the /usr/local/ssl/bin directory.
The first step is to create your RSA Private Key. This key that we will create will be a 1024 bit RSA key, encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. We will use several files as random seed enhancers which will help to make the key more secure. Text files that have been compressed with a utility such as gzip are good choices. The key is generated using the following command, where file1:file2:etc represents the random compressed files.
# openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024
You will be prompted for a pass-phrase. It is critical that you keep this pass-phrase secure. If you loos the key, or forget pass-phrase then the certificate will be useless.
One issue with using pass-phrased private key is that Apache will ask for the pass-phrase every time the web server is started. This may not always be convenient as someone may not always be around to type in the pass-phrase after a reboot or crash.
mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. The other option would be to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If you remove the encryption from the private key it is critical that the file is readable by the root user only. If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked.
This command will remove the pass-phrase from the key:
# openssl rsa -in server.key -out server.pem
Once the private key is generated you need to generate a CSR (Certificate Signing Request). The CSR is:
During the generation of the CSR you will be prompted for several pieces of information, this is the X.509 attributes of the certificate. One of the prompts will be for "Common Name", it is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the URL of website to be protected is https://www.webserver.com, then enter www.webserver.com at this prompt.
This is the command to generate the CSR:
# openssl req -new -key server.key -out server.csr
You will be asked to enter the PEM pass phrase.
Country Name (2 letter code) [XX]:IE
State or Province Name (full name) :Kilkenny
Locality Name (eg, city) [Default City]:Kilkenny
Organization Name (eg, company) [Default Company Ltd]: Security I Trust
Organizational Unit Name (eg, section) :InfoSec
Common Name (eg, your name or your server's hostname) : securityitrust.com
Email Address : support@your_email_address.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password : I7nf9oS5
An optional company name : Security I Trust
At this point you have 2 option.
1. You can use your CSR to purchase a signed SSL certificate. If this is your plan then you need to upload the CSR to the vendors website and when you have received the certificate from the vendor you need to install the private key and certificate on your web server.
2. Generate a self signed certificate.
Do you know that an SSL cert does not secure your website?
Shockingly so many people around the world think that once a website has an SSL cert it is secure. What an SSL cert actually does is it only securing the data transfer from a HTTPS page in a web browser back to the web server. So it is simply a way to secure the transfer.
From speaking with many web users we discovered that they were under the impression that when they saw a SSL secured logo the website has high security and was protected from hackers. Unfortunately this is an incorrect assumption because web site security requires a lot more than just an SSL cert. We also learned from speaking to Irish web site owners that many were not taking their web site security as a high priority, the general comment that we got which shocked use was if we get hacked we will invest in IT Security for our website, but until then we do not see the need , because they believed that hackers might never find their web site and they were willing to take the risk. We have not carried out any surveys to assess how many Irish website owners think in this way, but to date every owner of an Irish ebusiness website we spoke with failed to understand why their website required a basic level of IT Security. What has gone wrong here? Is it simply a case of lack of education which is preventing some Irish online businesses from understands the risks involved, or is it a case that many Irish ebusiness are not willing to invest the money to protecting their website and their customers?