Thursday, April 15, 2010

IIS 7 (7.5): Hosting Multiple SSL Sites On One IP

Since I continually find myself Googling this information whenever I add a new site on our wildcard cert, I figured I'd document it here.

Adding a New Binding:

Requirements:
  1. A wild card SSL certificate (of the form *.domain.com). I assume the cert is already installed on your server.
  2. An IP you wish to use on multiple IIS sites.
  3. Two or more IIS sites with no SSL binding (I'll touch on changing a binding at the end).
With these in place, adding an SSL cert is quite simple:
  1. In an elevated command prompt navigate to
    C:\Windows\System32\inetsrv
  2. Enter the following command (replace {SITENAME}, {IP}, and {HOSTHEADER} with the appropriate values).
    appcmd set site /site.name:{SITENAME} /+bindings.[protocol='https',bindingInformation='{IP}:443:{HOSTHEADER}']
  3. Check the selected cert in IIS via the bindings window. You can change the cert here, but you cannot change the host header.
That's it.

Changing an Existing Binding:

Changing a binding is similar to the adding binding with a few alterations to the command
appcmd set site /site.name:{SITENAME} /bindings.[protocol='https',bindingInformation='{IP}:443:{HOSTHEADER}'].bindingInformation:{NEWIP}:443:{NEWHOSTHEADER}

10 comments:

kblood said...

is it possible to have three wildcard certs for three different domains for sites hosted on the same IP and still use host headers? I've only seen examples for single certificates.

Joel Potter said...

No. To the best of my knowledge, each individual cert must have a unique IP address.

The reason you can use many host headers with one wildcard cert as described is because all the host headers direct to the same IP.

Khalid said...

kblood: you can have multiple ip's for the same machie. just add as many as you want and add an entry in your hosts file. it's found in windows\system32\drivers\etc folde.
then do the binding as such and you can have as many ssl sites as you have ip's

andrew said...

Hi: I just tried your command...not clear on how to assign a cert to the website after binding the host-header?

I refreshed ISM after running the command, then clicked on the "bindings..." link for the website, and saw the host-header associated with https/443, but when I tried to assign a cert to it, it erased the host-header info?

andrew said...

Just a followup...I tried assigning the host-header to "website1" and it worked, but when I edited the bindings to assign the certificate, the host-header disappeared.

I then ran the same command for "website2", and it also worked, but when I clicked on "bindings" and "edit", the cert i had assigned to "website1" was already listed.

But it seems to be working, at least for "website2"...the host-header is being used to direct https to website2 instead of website1...my only question, I guess, is do I need to run the appcmd for website1 again, or can I just leave it as the "default" SSL site for the IP?

Joel Potter said...

I haven't tried it, but I would guess that if you had two sites using the same cert and IP and a host header assigned to only one of them then the site with no host header would answer for any requests that did not match the mapped host header on the second site. Thus functioning as the "default" site, as you say.

I haven't needed to set this up in quite some time, so there may have been some change to IIS which causes it to overwrite the host header when you select a cert, but I'm not aware of this. If that is the case, I imagine you could run appcmd to alter the binding after assigning a cert to set the host header back to your desired value.

andrew said...

Thanks Joel: of course what you say makes sense, I was just curious why editing the setting in ISM would erase it...but it seems like it doesn't support it inherently so it's just overwriting it.

Just have to keep in mind that changing the bindings for any reason might require re-running the command.

Long Beach Daoist said...

I tried this and one of the sites for the IP comes up just fine, but the other site returns an HTTP 404 error.

If I change the site with the 404 error to another IP on the box, it works just fine.

Any idea how to get around that?

Job Vermeulen said...

I can only bind one host with this method, the second one keeps resetting the connection.

What is the point of this method then?

Job Vermeulen said...

I found out that the Friendly Name (no joke) has to contain a wildcard like *.domain.com.

So if the subject is a wildcard, the friendly name to contain the same format. If this is true you can define the hostheader in IIS in the binding for HTTPS.

You can change the friendly name in MMC->Certificates->Computer->Select certificate -> Edit and change the friendly name.