Supporting multiple sites with a single SSL Certificate

There are a couple of ways I’m aware of you can support multiple web sites with a single SSL certificate using the same port.

  1. Wild card certificate
    Useful for when your collection of sites are on the same domain.
    For example:
    mysane.site.com, myinsane.site.com, mycrazy.site.com
  2. Unified Communications Certificate (UCC) / Subject Alternative Name (SAN) / MultiDomain
    Useful for when your collection of sites are on different domains.
    For example:
    mysanesite.com, myinsanesite.com, mycrazysite.com

You can choose to purchase a SSL cert,
you can use convergence (check out Moxie Marlinspikes talk on the subject),
or you can create a self signed one.

If you chose to create a self signed certificate

IIS 7.x

Click on the root machine node in the left tree view of IIS (7.x) manager.
Then double click the “Server Certificates” icon in the Features View.

Server Certificates

This will show you all the certificates currently registered on the server.
You will be able to see in the Actions pane,
that you can Import or create your own certificate.
To create the self signed wild card certificate,
chose “Create Self-Signed Certificate…”.
Give it the friendly name *.site.com
Ok.
The certificate will be registered on you machine.

Server Certificates

Now for each site you want to use the certificate for,
right click -> Edit Bindings… -> Add.
Select the Type to be https,
and select the certificate you just created from the SSL certificate drop down menu.
Ok -> Close.
Repeat these steps for the rest of the sites you want to share the certificate.

Using the appcmd utility

We now add the https binding and host information to our sites that need to share the wild card certificate.

Run a command prompt as administrator and

cd to %WINDIR%\system32\inetsrv

The format of the command looks like the following:

appcmd set site /site.name:"<your website name>" /+bindings.[protocol='https',bindingInformation='*:443:<your ssl domain>']

For our above three sites we wanted to use the same certificate,
mysane.site.com, myinsane.site.com, mycrazy.site.com
They may be named respectively:
mysane, myinsane, mycrazy
So for example,
we’d run the following commands:

appcmd set site /site.name:"mysane" /+bindings.[protocol='https',bindingInformation='*:443:mysane.site.com']

You should get feedback similar to the following:

SITE object "mysane.site.com" changed

if all goes well

appcmd set site /site.name:"myinsane" /+bindings.[protocol='https',bindingInformation='*:443:myinsane.site.com']

You should get feedback similar to the following:

SITE object "myinsane.site.com" changed

if all goes well

appcmd set site /site.name:"mycrazy" /+bindings.[protocol='https',bindingInformation='*:443:mycrazy.site.com']

You should get feedback similar to the following:

SITE object "mycrazy.site.com" changed

if all goes well

Although I normally keep it simple and name my sites the same as the URL (your ssl domain) I want to use.

IIS 6

Now this is a bit more work than with IIS 7.

If it’s not already installed, you’ll need the SelfSSL tool.
You can get this from the SSL Diagnostics Kit or the IIS 6.0 Resource Kit which contains lots of other stuff.
Once installed, run IIS.

Create the self signed wildcard certificate

You’ll need to generate the certificate for one existing IIS site.
For the first site take note of the site idendifier.
You can see this in the right pane when you select Web Sites from the server node in the IIS manager.
Open a command prompt, you’ll need to run the SelfSSL app.
Actually I think the easiest way to run this is Start menu -> All Programs -> IIS Resources -> SelfSSL -> SelfSSL.
The command string looks like this:

selfssl /n:cn=<your wild card domain> /s:<first website identifier> /P:<port you want to use> /v:<number of days to expiration>

So for example, we’d run the following command:

selfssl /n:cn=*.site.com /s:1 /P:443 /v:365

Options for SelfSSL

selfssl /?

some of them are:

/N: – This specifies the common name of the certificate. The computer name is used if there is no common name specified.
/K: – This specifies the key length of the certificate. The default is length 1024.
/V: – This specifies the amount of time the certificate will be valid for, calculated in days. The default setting is seven days.
/S: – This specifies the Identifier of the site, which we obtained earlier. The default will always be 1, which is the Default Web Site in IIS.

Assign the certificate to the sites that need it

Have a look at the site properties in IIS Manager -> Directory Security tab -> Server Certificate button.
This will start the IIS wizard.
Click Next -> Assign an existing certificate -> Next.
You should see the wild card certificate you created.
Select it, click next, and make sure you assign it the same port that was assigned to the first site.

Configure the SecureBindings

In order for IIS to use the host headers with SSL and secure the certificate as we did with appcmd,
you’ll need to run the following command for each of the sites that require it.
My adsutil is found in C:\Inetpub\AdminScripts\
It’s probably not in your path, so you’ll have to run it from location.
cscript adsutil.vbs set /w3svc/<website identifier>/SecureBindings ":443:<your ssl domain>"
So for example, we’d run the following command:
cscript adsutil.vbs set /w3svc/1/SecureBindings ":443:mysane.site.com"
That should be it.

Now if you need to remove a certificate from your store

Run mmc.exe
File menu -> Add/Remove Snap-in… -> Add… -> select Certificates -> Add -> select Computer account -> Next -> select Local computer -> Close -> Ok.
Select the Certificates node, expand Personal, Certificates.
Now in the right window pane, you can manage the certificates.
Delete, Renew etc.
About these ads

Tags: , ,

9 Responses to “Supporting multiple sites with a single SSL Certificate”

  1. binarymist Says:

    Just added the section on IIS 6.

  2. Brack Says:

    It seems it wasn’t that easy for me, would you know whats wrong from the following debug ouuptt?(14:41:09) proxy: Connected to omega.contacts.msn.com:443.(14:41:10) nss: subject=CN=*.contacts.msn.com,OU=MSN Contact Services,O=MSN,L=Redmond,ST=WA,C=US issuer=CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com(14:41:10) nss: partial certificate chain(14:41:10) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com(14:41:10) certificate/x509/tls_cached: Checking for cached cert (14:41:10) certificate/x509/tls_cached: Not in cache(14:41:10) certificate: Checking signature chain for uid=CN=*.contacts.msn.com,OU=MSN Contact Services,O=MSN,L=Redmond,ST=WA,C=US(14:41:10) certificate: Singleton. We’ll say it’s valid.(14:41:10) certificate/x509/tls_cached: Checking for a CA with DN=CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com(14:41:10) certificate: Failed to verify certificate for omega.contacts.msn.com(14:41:10) msn: Operation {} failed. No response received from server.

  3. binarymist Says:

    Um, you’d have to provide some more information.
    What were your exact steps?

  4. Self-Signed Certificates on IIS 7 – the Easy Way and the Most Effective Way | 資訊與工作 Says:

    […] Supporting multiple sites with a single SSL Certificate « Binarymist Using the appcmd utility […]

  5. Lelala Says:

    Is it possible to set also SSL certificate with this appcmd command line tool?

  6. Ben S Says:

    this was a big help. thank you!

  7. Soporte Suplidora Royal Says:

    Excelente! Muchas gracias por la ayuda!!

  8. Todd Hensley Says:

    Is it normal after doing this in IIS 7 for there to be TWO binding rows now for https for each site? For example, after I do this on my server “mysane.site.com” would show two https bindings. In the “site bindings” dialog that shows them as a list, one has the host name filled in and the other doesn’t. If I bring either of them up with the edit button, they show the SSL certificate filled in but no host name. Weird. IIS certainly seems confused by this whole setup. It doesn’t look like they did a very good job of allowing the use of SSL with host headers!

  9. Mark Cornett Says:

    To get it working ‘without’ a wildcard certificate (using GoDaddy SSL certificate) I edited the sites and filled in the host name on only one site. Both are bound to the SSL. Have two sites running, One has the host name filled in and the other does not. Didn’t work with both host names filled in.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 216 other followers

%d bloggers like this: