locked
SSL and Hostheaders RRS feed

  • Question

  • User-1089276677 posted
    I'm not sure if this is in quite the right forum... Our company hosts over 200 sites on IIS7 on Windows Server 08 (web edition). We have three sites that have a secure shopping cart and SSL certs. We put about ten sites on each IP Address. The problem we are running into is that the UI for IIS7 does not allow hostheaders to be added to the ssl binding. I have run the appcmd command in an effort to do it manual but that causes the binding to not specify an SSL cert. I have done some research on the specifying a cert through appcmd but was an able to find anything that would answer my question. Any help on this matter would be great. Thanks
    Friday, January 23, 2009 2:20 PM

Answers

  • User930989739 posted

    Using hostname based SSL sites has many limitations. Thomas Deml wrote a blog http://blogs.iis.net/thomad/archive/2008/01/25/ssl-certificates-on-sites-with-host-headers.aspx that explains some of the issues. Basically when client connects to server, the server only knows what server's IP address client connected to. So it cannot choose the server certificate based on hostnames, but only based on IP address. In controlled environment where multiple sites are closely related and it is OK for them to share certificate (assuming that wildcard certificate is used or it contains multiple names).

    One of your 3 sites (assuming they are related should own the binding without the hostname and that would allow the association of the certificate with the endpoint (this certificate would then be used for all the other sites that share the port and differ only in the endpoint.

    Note: This shared ownership of SSL certificate is rather confusing, but the only way around it would be for server to know about the hostname chosen by client before certificate is chosen by server. There is a "TLS name extension" (RFC 3546) spec that supports that but it will still take few years before clients and servers adopt it so that is is actually useful.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Saturday, January 24, 2009 1:02 AM

All replies

  • User930989739 posted

    Using hostname based SSL sites has many limitations. Thomas Deml wrote a blog http://blogs.iis.net/thomad/archive/2008/01/25/ssl-certificates-on-sites-with-host-headers.aspx that explains some of the issues. Basically when client connects to server, the server only knows what server's IP address client connected to. So it cannot choose the server certificate based on hostnames, but only based on IP address. In controlled environment where multiple sites are closely related and it is OK for them to share certificate (assuming that wildcard certificate is used or it contains multiple names).

    One of your 3 sites (assuming they are related should own the binding without the hostname and that would allow the association of the certificate with the endpoint (this certificate would then be used for all the other sites that share the port and differ only in the endpoint.

    Note: This shared ownership of SSL certificate is rather confusing, but the only way around it would be for server to know about the hostname chosen by client before certificate is chosen by server. There is a "TLS name extension" (RFC 3546) spec that supports that but it will still take few years before clients and servers adopt it so that is is actually useful.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Saturday, January 24, 2009 1:02 AM
  • User-1089276677 posted

    Unfortunately the sites are completely unrelated, with the exception of the same shopping cart that drives them. The sites are different domains, for different clients, for selling different things. Is our only solutions going to be to put each cart on its on IP?

     

    Edit: What about using differnet port numbers for the certs?

    Saturday, January 24, 2009 10:33 AM
  • User-1089276677 posted
    For the time being we have decided to put these sites on separate IP Address. I wish that there was a better solution. Thanks, JaroDunajsky, for your reply.
    Monday, January 26, 2009 10:25 AM