locked
IIS 7 & SSL RRS feed

  • Question

  • User952135346 posted

    Does anyone know if it is possible to host multiple SSL domains on a single IP in IIS 7? I know this was impossible in version 6, would be great if this is now possible. Any info appreciated.

    Friday, June 1, 2007 10:54 PM

All replies

  • User989702501 posted

    Yes/No, SSL support in IIS 7 and 6 should be the same. and you will be able to use wildcard SSL for multiple site on a single ip with the condition that all sites are sharing the same root domain.

    Tuesday, June 5, 2007 12:31 AM
  • User1365816255 posted

    Hey-
    Bernard is correct that in IIS7 that it will support wildcard certs for multiple SSL support.  However, like IIS 6, the IIS Manager for IIS7 doesn't support configuring IIS7 using SSL & Host Headers.  Thus, the same approach as was used in IIS 6 would be used with slight modifications to the actual utility.  For example, instead of using adsutil.vbs to set the configuration property SecureBindings you would use AppCmd or Microsoft.Web.Administration for the <sites> collection's bindings.  If you can't figure this out, let us know and I am happy to test and give back the sample...

    Thanks,

    Friday, August 3, 2007 3:42 AM
  • User26069317 posted

     Hi

     I have problems even with one SSL-enabled site. If I enable SSL with for example contoso1.com, https://contoso1.com works fine. But requests for other sites like https://contoso2.com, https://contoso3.com and so on ( assuming I have multiple sites contoso1.com, contoso2.com ... hosted by IIS ) return the same page https://contoso1.com. Of course these requests should never come in in the first place. But anyway is it possible to configure IIS to return something like 404 for those requests?

     Thanks
     

    Saturday, November 24, 2007 3:00 PM
  • User511787461 posted

    You can configure the SSL binding of the web-site to take a host-header - I do not remember whether the UI allows you to do that, but you can definitely do it by directly editing configuration.

    Monday, November 26, 2007 2:06 PM
  • User1365816255 posted

    Unless something has changed in the most recent release of the UI, Host Header & SSL support (SecureBindings) isn't supported in the UI.  Just adding that since Anil commented...

    -Chris

    Monday, November 26, 2007 3:07 PM
  • User26069317 posted

     Thank you for your prompt reply

     That's right, I edited configuration manually. Turns out it's not a big deal :-)

     Now it looks like

    - <bindings>
          <binding protocol="http" bindingInformation="*:80:contoso.com" />
          <binding protocol="https" bindingInformation="*:443:contoso.com" />
    </bindings>

    And it shows up in Bindings in UI but is not editable.

    Some minor problems still persist. An http :80 request with wrong Host Header never goes to the site. But an https :443 request with wrong Host Header still goes through to the site. The brower reports certificate error, I can view certificate details and only after I hit "Proceed to the site - Not recommended" I receive 404 response.

     Not a big deal but some clients can get disappointed.

     Any ideas? I think I can write an HttpModule to check for wrong Host Header - now it is possible to do using .NET - great. That's only a couple lines of code.

    Thank you again

     Art
     


     

    Monday, November 26, 2007 4:23 PM
  • User511787461 posted

    The request is not going to the site - it is being rejected by http.sys as soon as it sees the host header - but that happens after the SSL negotiation which is why you see the bad certificate thing on the client.

    Monday, November 26, 2007 4:30 PM
  • User26069317 posted

    So what do you think? Is there something I can do with this certificate thing?

    Http Module is not a solution. I can not insert it into or before SSL negotiation. Right? 

     

    Monday, November 26, 2007 5:38 PM
  • User511787461 posted

    There is nothing you can do - SSL negotiation has to happen before the serve knows which hostname the client is interested in - and the only thing the server knows before that is the IP address.

    Tuesday, November 27, 2007 12:16 PM
  • User-1217239237 posted

    You should just create or buy wildcard SSL certificate.

    Remember to use star in common name field when creating request.
    Like: *.domain.com otherwise it wont work.

    After you have created wildcard SSL certificate IIS allow you automatically edit https hostheader name via UI so you dont have to manually configure anything.
    (If you select normal certificate from the host header dropdown then host header field is disabled)

    This way you could have single IP address and multiple https sites and no certificate errors.

    Friday, January 16, 2009 8:56 AM
  • User762595890 posted

    Hi there,

    This is my first post to this forum, but i'm a regular reader. 

    Until now i've never had the need to have more than one HTTPS website, but now that time has come and so are the problems some of you are facing. I have only one IP available for my websites and i've tryed everything you suggested, like the self signed *.domain.com (and so i can input the host name in Site Bidings). The problem is that when i try to connect to any of those sites, after the self certificate warning, the browser returns an error like "The network link was interrupted while negotiating a connection. Please try again." in Firefox (and something like that in IE7).

    I'm not very confortable with config files, but can you help me with this? I soon will have a couple of e-commerce websites and i will have to solve this headache and understand which certificate to buy, or if there is a real solution for this...

    TIA

    Thursday, January 22, 2009 11:07 PM
  • User-1217239237 posted

    Hello,

    Are you sure that you created wildcard certificate and not just normal certificate to *.domain.com address?

    What I have done which works fine:

    Environment:
    Windows Server 2008 Standard x64, IIS7, 1 Public IP

    Steps:
    1. Bought wildcard certificate from one vendor, cost 149$ per year.
    [Vendor site stuff]
    2. Created Certificate Request using Common name: *.mydomain.com
    [Vendor site stuff]
    3. Completed Certificate Request
    4. Used same certificate in 3 different sites with following host names:
    https://a.mydomain.com
    https://b.mydomain.com
    https://c.mydomain.com

    + yeah you can use wildcard certificate with Sql Server 2008 Reporting Service
    https://reports.mydomain.com

    Everything works fine and no warning messages with any major browser.

    If we would have ISA server it would be maybe? better to assing more IP addresses to server and use single certificates per site..

     

    Friday, January 23, 2009 5:52 PM
  • User-1839096331 posted

     How can i edit host hears for IIS 7 manually , i.e not from UI because i want to add SSL for multiplr sites on the same IP.

    Thursday, February 26, 2009 1:31 PM
  • User989702501 posted

    host header? just edit the binding information.

    for *.domain.com pointing to an IP address that's your DNS record.

    Friday, February 27, 2009 11:18 PM
  • User707383396 posted

    Hey-
    Bernard is correct that in IIS7 that it will support wildcard certs for multiple SSL support.  However, like IIS 6, the IIS Manager for IIS7 doesn't support configuring IIS7 using SSL & Host Headers.  Thus, the same approach as was used in IIS 6 would be used with slight modifications to the actual utility.  For example, instead of using adsutil.vbs to set the configuration property SecureBindings you would use AppCmd or Microsoft.Web.Administration for the <sites> collection's bindings.  If you can't figure this out, let us know and I am happy to test and give back the sample...

    Thanks,

     

    On further reading, it appears that an internal CA might be a better option over the Self Signed Certificate...

    Once again, any help you can offer would be very much appreciated.

    Wednesday, July 22, 2009 8:34 AM
  • User989702501 posted

    What kind of help ? are you looking for CA or Self Signed Cert or SSL host header on this thread?

    Thursday, July 23, 2009 3:52 AM
  • User707383396 posted

    Hey-
    Bernard is correct that in IIS7 that it will support wildcard certs for multiple SSL support.  However, like IIS 6, the IIS Manager for IIS7 doesn't support configuring IIS7 using SSL & Host Headers.  Thus, the same approach as was used in IIS 6 would be used with slight modifications to the actual utility.  For example, instead of using adsutil.vbs to set the configuration property SecureBindings you would use AppCmd or Microsoft.Web.Administration for the <sites> collection's bindings.  If you can't figure this out, let us know and I am happy to test and give back the sample...

    Thanks,

     

    Hi Chrisad,

    Would definitely like some help with how to use AppCmd or Microsoft.Web.Administration for binding wildcard SSL certificate to my multiple sharepoint sites with host headers running on port 80

    From the way I understand it, I need to:

    • IIS 7 > Server Certificates > Create Certificate Request using *.domain.com as the common name
    • Submit the Certificate Request to a CA (which in this case is my Domain Controller) for signing
    • Import the signed certificate via IIS 7 > Server Certificates > Complete Certificate Request

    Assuming these steps are correct (if they're not, please let me know), what do I need to do next to bind the wildcard cert to each website?

    Thursday, July 23, 2009 6:35 AM
  • User225163033 posted

     Well explained!!! [:)]

    Saturday, July 25, 2009 12:16 PM
  • User-1842934561 posted
    I am running IIS7 on a Windows 2008 Web Edition x64 Server. I have one public IP. I am trying to figure out an SSL solution that allows me to support multiple secure domain names on the same server that are not simply wildcards subdomains. ie, not: a.domain.com b.domain.com but www.firstdomain.com www.seconddomain.com I have had trouble finding information on how to do this. Is it possible? If so would you be willing to explain how or provide links to information that I can't seem to find? Thanks all!
    Thursday, October 1, 2009 11:57 AM
  • User26069317 posted

     As far as I understand (please correct me if I'm wrong) when Web server negotiates SSL session (and that's when SSL Certificate must be presented to the client) Host Header information is not yet available. It is encoded yet and can be decoded only after SSL session will be established. Only destination IP address is available.

    So one IP address - one SSL certificate, wildcard or not.

    Friday, October 2, 2009 12:14 PM
  • User989702501 posted

    If you have one IP address + not trying to do wildcard, then you need to bind the cert at different ports (443,8888,9999/etc).

    then clients will access via https://mytestdomain:8888/abc.htm

     

    Monday, October 5, 2009 5:25 AM
  • User-1203291151 posted

     Hey guys,

    I'm having a problem and would really appreciate your help.  I need to manually edit the "SecureBindings" string for a website, but I cannot figure out how to do this.  I'm trying to setup SSL for our sites and having the .mydomain on then end is not acceptable.

    In IIS 6 I would right click the website>Select All Tasks> Save COnfiguration to a File...

    Then I could open the XML and update SecureBindings from:

    SecureBindings=":10126:"

    to:

    SecureBindings=":10126:[SERVERNAME]"

    Can someone please tell me how to do this, then how to import this file as the new website in IIS 7.0.

    I tried using APPCMD and I'm not sure if I have it right or not, I'm new to this as well.  Here's the line I used:

    appcmd list config "[SITENAME]/" /config:* /xml >Output.xml

    Your help is greatly appreciated.

     

     

    I was able to find where this information was located.  It's in the applicationhost.config file. at C:\Windows\System32\inetsrv\config

    Tuesday, December 1, 2009 2:22 PM
  • User989702501 posted

    To migrate IIS 6 to 7, try the msdeploy or web deployment kit.
    The save config file in IIS 6 is not really paste'able to the IIS 7 configuration file.

    Friday, December 4, 2009 1:31 AM
  • User-1596488291 posted

    Been enjoying reading this thread, and have done a couple searches for my specific situation, but I'm not finding an answer.

    From what I've been reading here, everyone is trying to configure multiple sites to run against a single SSL cert on IIS7.

    Here's my wrinkle...can IIS7 be configured to run multiple sites on a single IP address with each site having it's own SSL cert?

    Example:

    IP Address: 192.168.1.1
    Domain abc.com would bind to https://www.abc.com on 192.168.1.1:443
    Domain xyz.com would bind to https://www.xyz.com on 192.168.1.1:443

    I might be talking crazy talk, but...

    Thanks in advance,

    Ric

    Wednesday, December 16, 2009 11:53 PM
  • User26069317 posted
    Think about it from the point of view of the IIS. When a https request arrives it should present some certificate to the client to begin SSL negotiation. A this moment it does not know a thing about which site will be requested. Host header information is still encrypted. All it knows is IP address and port. Only after SSL negotiation will succeed will IIS be able to decrypt host header, query string, request body and so on.
    Thursday, December 17, 2009 6:29 AM
  • User989702501 posted

    In your case no, coz same ip + port only different is the host header. Until IIS supports the Subject Alternative Name or maybe something to do with TLS extension, the hostname are not available during SSL handshake.

    Been enjoying reading this thread, and have done a couple searches for my specific situation, but I'm not finding an answer.

    From what I've been reading here, everyone is trying to configure multiple sites to run against a single SSL cert on IIS7.

    Here's my wrinkle...can IIS7 be configured to run multiple sites on a single IP address with each site having it's own SSL cert?

    Example:

    IP Address: 192.168.1.1
    Domain abc.com would bind to https://www.abc.com on 192.168.1.1:443
    Domain xyz.com would bind to https://www.xyz.com on 192.168.1.1:443

    I might be talking crazy talk, but...

    Thanks in advance,

    Ric

    Friday, December 18, 2009 11:17 PM
  • User-837123647 posted

    I found this on the net and it worked for me using 1 cert, 1 IP and same port for multiple sites with host headers.

    http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

    Friday, February 5, 2010 4:51 PM
  • User989702501 posted

    wildcard cert for multiple domains work on IIS 6 as well.

    Tuesday, February 9, 2010 7:32 PM
  • User-1126925207 posted

    Also to add to your information : Please make sure that the Friendly name is "*.domain.com" and not something like "wildcard certificate for domain"

    Please see http://blogs.dawnworld.org for screen shots of the issue.

    Regards,

    Jack

    Saturday, March 13, 2010 1:11 PM
  • User989702501 posted
    Errrrr me ?
    Tuesday, March 16, 2010 3:10 AM
  • User-1054463645 posted

    I'm assuming you edited the Web.Config file?

    Where does IIS 7.5 store this file on Windows Server 2008 R2?

     

    I need to edit the Host Name for one of my sites but can't edit via GUI.

     

    thanks!

    Thursday, October 7, 2010 5:40 PM
  • User989702501 posted
    What are you trying to edit? appcmd? why can't edit via UI?

    I'm assuming you edited the Web.Config file?

    Where does IIS 7.5 store this file on Windows Server 2008 R2?

     

    I need to edit the Host Name for one of my sites but can't edit via GUI.

     

    thanks!

    Monday, October 11, 2010 9:09 PM
  • User1745980021 posted
    I just worked out how to solve this problem using bits and bobs of what people have said here. Anyway I wrote a step by step guide here: http://bit.ly/azSk5C
    Thursday, November 18, 2010 6:59 AM
  • User1719618853 posted

    Hi,
       interesting post and I've come across this before, however I wouldn't advise hand editing the applicationHost.config file as it could end up damaging your entire installation if you get something wrong.

    A better and safer way of completing this task is to use APPCMD as described in this blog post by Thomas Deml - http://blogs.iis.net/thomad/archive/2008/01/25/ssl-certificates-on-sites-with-host-headers.aspx

    Also

    before making any changes, a top tip is to perform a backup of the configuration using APPCMD :

    c:\windows\system32\inetsrv\Appcmd.exe add backup "NameOfBackup"

    That way you can revert if anything goes wrong :)

     I've added this comment to your blog post too but thought it important to add to the forum for the benefit of future readers here too.

    Cheers

    Andrew

    Thursday, November 18, 2010 10:44 AM
  • User989702501 posted
    Ha! sorry was OOP. Normally, i just go to the config file and change it :)
    Monday, November 22, 2010 8:56 PM
  • User828040291 posted

    ssl host headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site on each IP address to port 443 using an SSL certificate. If you try to bind a second site on the IP address to the same certificate, IIS 7 will give you an error when starting the site up stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers by following the instructions on this link.

    Thursday, November 17, 2011 7:31 AM
  • User-1416235779 posted

    I've noticed in this thread many people asking how to secure different top-level domains using SSL and/or IIS. On the SSL side, many of the responses mentioned Wildcard certificates, but this doesn't help when the top-level domain is different. On the IIS side, some are suggesting tweaks in IIS 7 and this comes with its own headaches.

    I've had the same need and felt compelled to share my preferred solution. I've found that Unified Communication certificates work wonderfully; originally designed for Exchange Server, these certificates actually secure different top-level domains using Subject Alternative Names (SANs). This keeps it down to a single certificate on the web site.

    Here's a link to an example (happens to be my preferred SSL provider).

    I hope this helps someone!

    Sunday, December 18, 2011 3:53 PM
  • User1018573045 posted
    We have found microsoft guidance for Secure Socket Layer (SSL) at IIS 7. Guide line includes necessary information including screen shot with step by step guidance. Guidance also includes additional information such as suitable SSL certificate selection for IIS 7, 128 Bit SSL Certificate Understanding, and Client SSL Certificates for IIS. Grab further information over here, link
    Monday, April 9, 2012 8:00 AM