Multiple SSL Certificates on the same server

Question

User-118251942 posted

Hi

Two sites should use port 443. Our server has only one IP-address.
Is it then possible to have two SSL star-Certificates (each with its own Web site - IIS7) on the same WEB-server ?
*.cert1 on site1.dk and *.cert2 on site2.dk

 /Steffen

Answer 1

User-322036075 posted

For this to work, you will need to purchase a UUC Certificate. Standard (UC) certificates are multidomained :) They can be expensive at times depending on how many domains you want to secure.

Essentially, your sites will use Host Headers/bindings with one shared SSL certificate that has multiple subject names.

For exameple, with a Geotrust True BusinessID Multi-domain SSL UCC, you can secure.
site1.dk
site2.dk
site1.mydomain.com
dev.domain.org
www.other-domain.com
etc...

http://www.geocerts.com/ssl/tbidmd

Once the SSL is purchased though, you will need to bind it to the sites using SSL Host Headers.

Here is a walkthrough to do this.
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html

Answer 2

User989702501 posted
AFAIK, IIS doesn't supports SAN based SSL yet. if you have *.site1.com then you can use it to bind to more than one sites, however if you have different top level domain - this wildcard cert won't work, you will need additional ip to bind *.site2.com, have you tested it?

Answer 3

User-118251942 posted

no - I have not tested it yet.
But I'll attach a second ip address to the server. This will be used exclusively to site2.dk

Thank you for your answer

Steffen

Answer 4

User989702501 posted
Yes, with additional IP for another cert, this will works.

Answer 5

User-118251942 posted

The IIS7 GUI does not let me add a host header and an IP address for the site, using *.cert2
How do I configure "Appcmd" or "netsh" to define both the host header and the IP-address to the second *.cert SSL Certificate ?

Answer 6

User-118251942 posted

Using the IIS7 GUI the *.cert_1 and the hostheader_1 is bound together with "IP_1"/port 443.
With Appcmd I've set hostheader_2 to site_2 using "IP_2":443, but I cant find the right command to tie *.cert_2 to either the hostheader_2 or IP_2.

Answer 7

User989702501 posted
You can either try - appcmd set site /site.name: contoso /+bindings.[protocol='https',bindingInformation='*.fabrikam:443:'] or appcmd.exe set site “Fabrikam HR” /bindings:”http/192.168.1.1:80:hr.fabrikam.com,http/192.168.1.1:433:*.fabrikam.com”

Answer 8

User-118251942 posted

Thank you all.

As mentioned earlier, I have 2 different sites (site_1 and site_2)

By using the probably most common way, I have set Hostheader_1 to HTTPS (443) using cert_1, (at site_1, IP Address = All Unassigned - IP_1 would also work here).

Also using the GUI on site_2, I defined https (443), cert_2, IP Address=IP_2. Hostheader_2 was "grayed out". so I could not define cert_2 to hostheader_2. because of this, I used the following command:

C:\Windows\System32\inetsrv\appcmd set site /site.name:*.CERT_2 /+ bindings.[protocol='https',bindingInformation='IP_2:443:HOSTHEADER_2']

When using CNAME's in DNS, it is mandatory that the DNS server is NOT configured to have 2 ip-addresses for the web server hosting the sites. instead the DNS server needs an A-record for hostheader_2 pointing at IP_2.

Perhaps the above is not the simplest or the correct method.
BUT it works ...

Answer 9

User989702501 posted
gray out? mm... if it's binding to different IP and there is a cert bond to the 2nd site, I see no reason why you can configure 2nd site like the first one.

Answer 10

User-655144444 posted

 SSL will require static IP to work with. if you want to have two websites with SSL, you need another IP address.

Answer 11

User-118251942 posted

I know. Which is why I wrote IP_1 and IP_2

Answer 12

User989702501 posted
@@ - thread digger ?