Have both Hostname and FQDN in SSL Certificate on IIS
Solution 1
A fundamental underlying principal of certificates is trust. Trust requires identifying the parties involved (server and/or client), by specifying a fully-qualified name. A single-label name does not fulfill the identity requirement, and therefore cannot be trusted. Certificate Authorities should not issue and applications should not trust single-label names.
You should not use single-label names to connect to services that use certificates, you should use the fully-qualified name that matches the certificate instead.
Solution 2
Yes, is possible.
You need to create a certificate with two Subject Alternative Names (SAN) fields. One with "citrix" and the other with "citrix.contoso.com". I would keep the CN to citrix.contoso.com but have in mind that the CN field is ignored if your certificate has SAN fields. To create a certificate with SAN fields follow Microsoft instructions How to Request a Certificate With a Custom Subject Alternative Name
Related videos on Youtube
07 : 28
05 : 24
03 : 19
06 : 37
04 : 01
01 : 47
Mikael Dyreborg Hansen
Updated on September 18, 2022Comments
-
Mikael Dyreborg Hansen over 1 year
I've been searching here, technet and google but haven't been able to find an answer to my question yet.
I have a website running on IIS 7, Server 2012 R2. The IIS serves as an access to our Citrix farm. Connecting using https, I have created an SSL certificate using our CA server (certificate is for Citrix.contoso.com (internal FQDN for server)). But, users will try and connect using just https://Citrix which will generate a certificate error. So my question is: Is it possible, for the certificate to work for both Citrix and Citrix.contoso.com? If so, how do I manage to do this?
-
Mikael Dyreborg Hansen about 8 yearsThanks for your answer Greg. I'm aware of the purpose of the certificate and I understand that it loses it's purpose by simply isueing it to just a single-label name. I was just wondering if it was possible for the certificate to contain both FQDN and single-label name, but I guess it isn't. I urge my users to connect through their browser using FQDN but they are reluctant to use FQDN rather than hostname as it is longer to type, hence they get the certificate warnings. Thanks once again Greg and have a nice day.
-
kralyk over 6 years@greg - while I agree with you, one thing I've run into is things like Okta that require their IWA server use single-label name (netbios) for their IWA servers because the browser needs to use the current logged on user/pwd which is difficult to do with FQDN unless you add it to the Intranet zone properly. Upvoted regardless, as you are right. :)
-
RickWeb over 4 years@MikaelDyreborgHansen although best practice for SSL certs is exactly as Greg Askew has described and certainly will not cause any security risks or problems. However it is not technically true a SAN certificate can be created which uses a Subject Alternative Names, for example including a servers hostname and FQDN.
