We have a Unix web server which hosts UCS related portal eg https://abc.xyz.com the same site is published over internet as well. To secure the connection over internet we have wildcard certificate issued by external body Thwate *.xyz.com binded in TMG. Site works fine when access over internet, but when this site is accessed internally its giving the certificate error as the internal traffic directly reaches the web server and not routed via TMG. Question 1: Is it possible to the same wild card certificate *.xyz.com issued by Thwate for internal access as well? does it work? Question 2: When the website is accessed using server name https:\\<serevrname>, portal loads without any certficate error as the machine certificate is issued by one of our internal CA. If I bind the same mahcine certifictae to IIS service on that server does it work? or the certificate request should be generated first and name of the should match the name of the portal?? Plese clarify my doubts, please let me know if the question is not clear.Mahesh

A1: Yes, you can have the same wild card certificate for internal access by binding that certificate in your web server. A2: When using SSL/TLS certificates, besides having a valid server certificate, you need to have a matching between the subject/alternative subject name in the certificate and the requested URL. In other words, you can use any valid server certificate that matches the name/host name of the website used in the client browser to access the site. /Hasain

A1: Yes, you can have the same wild card certificate for internal access by binding that certificate in your web server. A2: When using SSL/TLS certificates, besides having a valid server certificate, you need to have a matching between the subject/alternative subject name in the certificate and the requested URL. In other words, you can use any valid server certificate that matches the name/host name of the website used in the client browser to access the site. /Hasain

Dear Hasain, Thank you for your answer. For A2, always the certificate name should match the name of the url that we use in the client browser? so, I cant bind the machine when site is accessed via the name other than its machine name, am I correct?Mahesh

Well, you can bind it but you will get a certificate error/warning on the client if the name mismatches! /Hasain

Well, you can bind it but you will get a certificate error/warning on the client if the name mismatches! /Hasain

Thanks Hasain for your answer... Mahesh