Remove From My Forums

IIS7 SSL, Multiple Cerificates and Multiple Dominas

Question
0

Sign in to vote

User1230587063 posted

Hi

I am running IIS7 which has several websites on it (eg www.domain1.com and www.domain2.com) both of which I have SLL certificates for.

I have installed the certificates on the server and have used the appcmd method to apply the relevant bindings as shown in http://blogs.iis.net/thomad/archive/2008/01/25/ssl-certificates-on-sites-with-host-headers.aspx

https://www.domain1.com works fine and applies the appropriate certificate, however
https://www.domain2.com works but gives an error of using the wrong certificate, it is applying the www.domain1.com certificate to the domain which is wrong hence the error in the browser.

I could not see any switches on the appcmd method on how to specify a certificate for the domain? this is my appcmd line at the momemnt:

appcmd set site /site.name:"www.domain2.com" /+bindings.[protocol='https',bindingInformation='10.1.112.218:443:www.domain2.com']

Any help would be appeciated on this

Many thanks in advance

Friday, November 5, 2010 9:43 AM

Answers

0

Sign in to vote
User-322036075 posted

This is standard behaviour. You can have one SSL cert / IP address & port combination. Typically with SSL you would.

A> Assign multiple IP addresses to a server and use 1 IP per single SSL HTTP(s) Site.

B> use different SSL Ports on the server per site and multiple certificates.

C> Use a wildcard/UCC SSL and assign SSL Host Headers

example configurations:

IP 1 all using host headers and multiple certificates
https://www.domain1.com
https://www.domain2.com:444
https://www.domain3.com:445
is valid.

IP 1 all using host headers and multiple certificates
https://www.domain1.com
https://www.domain2.com
is not valid.

IP 1 all using host headers and UCC/SAN certificate
https://www.domain1.com
https://www.domain2.com
is valid.

IP 1 all using host headers
   http://domain1.com
   http://domain2.com
   http://domain3.com
   http(s)://domain4.com

IP 2 all using host headers
   http(s)://domain5.com

Now if a users goes to https://domain1.com, the site will load with a certificate error but the content of domain4.com. This is because HTTP is loaded first.

As well, if the port :444 and :445 are not supposed to be in the domain name url, then you need additional external IP addresses or a UCC certificate.

Type of certificates
wildcard is *.domain.com. Using the wildcard notation (an asterisk and period before your domain name) allows you to extend security to different subdomains based on your top-level domain name.

UCC/SAN is domain.com domain2.com site1.com etc... using Subject Alt Names meaning you can add multiple domains to a cert. If you need to update it, you contact your vendor, ask for an update and then re-apply the cert.

If the domain names are separate, you could use a UCC certificate from from GoDaddy and then assign using SSL host headers.

The issue here is that HTTPS and HTTP are protcols and since HTTPS is encrypted, IIS has no idea how to handle it. So when a site is on SSL, the host header is encrypted and since all the data is encrypted, IIS has no idea which site to send the traffic to. At the same time, you are using the same IP on HTTP to host multiple other Sites. so what is happening is IIS is reponding to host entry but feeding your SSL Site content from the first SSL site.

Once the SSL is purchased though, you will need to bind it to the sites using SSL Host Headers.

Here is a walkthrough to do this.
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

Hope it helps,
- Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
Friday, November 5, 2010 6:58 PM

All replies

0

Sign in to vote

User-322036075 posted

SSL needs a separate IP if you have 2 distinct certificates.

If you only have 1 IP to use then you will need a WILDCARD (also known as UCC) certifcate and then use SSL host headers.

Friday, November 5, 2010 12:34 PM
0

Sign in to vote

User1230587063 posted

Hi Hads666

Thanks for the response, currently I only have 1 IP address

currently I have 2 seperate certificates (one for each domai). However for www.domain1.com I have a wildcard certificate so I can every sub domain for *.domain1.com

However for www.domain2.com I only have it for this domain (not su domains of domain2.com). Is this why im having this problem.

If I purchased a wildcard certificate for domain2.com would this solve my problem? Or do I have to get another IP Address

Many thanks

Friday, November 5, 2010 5:00 PM
0

Sign in to vote
User-322036075 posted

This is standard behaviour. You can have one SSL cert / IP address & port combination. Typically with SSL you would.

A> Assign multiple IP addresses to a server and use 1 IP per single SSL HTTP(s) Site.

B> use different SSL Ports on the server per site and multiple certificates.

C> Use a wildcard/UCC SSL and assign SSL Host Headers

example configurations:

IP 1 all using host headers and multiple certificates
https://www.domain1.com
https://www.domain2.com:444
https://www.domain3.com:445
is valid.

IP 1 all using host headers and multiple certificates
https://www.domain1.com
https://www.domain2.com
is not valid.

IP 1 all using host headers and UCC/SAN certificate
https://www.domain1.com
https://www.domain2.com
is valid.

IP 1 all using host headers
   http://domain1.com
   http://domain2.com
   http://domain3.com
   http(s)://domain4.com

IP 2 all using host headers
   http(s)://domain5.com

Now if a users goes to https://domain1.com, the site will load with a certificate error but the content of domain4.com. This is because HTTP is loaded first.

As well, if the port :444 and :445 are not supposed to be in the domain name url, then you need additional external IP addresses or a UCC certificate.

Type of certificates
wildcard is *.domain.com. Using the wildcard notation (an asterisk and period before your domain name) allows you to extend security to different subdomains based on your top-level domain name.

UCC/SAN is domain.com domain2.com site1.com etc... using Subject Alt Names meaning you can add multiple domains to a cert. If you need to update it, you contact your vendor, ask for an update and then re-apply the cert.

If the domain names are separate, you could use a UCC certificate from from GoDaddy and then assign using SSL host headers.

The issue here is that HTTPS and HTTP are protcols and since HTTPS is encrypted, IIS has no idea how to handle it. So when a site is on SSL, the host header is encrypted and since all the data is encrypted, IIS has no idea which site to send the traffic to. At the same time, you are using the same IP on HTTP to host multiple other Sites. so what is happening is IIS is reponding to host entry but feeding your SSL Site content from the first SSL site.

Once the SSL is purchased though, you will need to bind it to the sites using SSL Host Headers.

Here is a walkthrough to do this.
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

Hope it helps,
- Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
Friday, November 5, 2010 6:58 PM
0

Sign in to vote

User1230587063 posted

Hades666, thanks for te superb response. All is very clear now thanks to the above

Your a star!

Cheers

Saturday, November 13, 2010 4:15 PM

Answered by:

IIS7 SSL, Multiple Cerificates and Multiple Dominas

Question

Answers

All replies