There are a couple of ways I’m aware of you can support multiple web sites with a single SSL certificate using the same port.
- Wild card certificate
Useful for when your collection of sites are on the same domain.
For example:
mysane.site.com, myinsane.site.com, mycrazy.site.com - Unified Communications Certificate (UCC) / Subject Alternative Name (SAN) / MultiDomain
Useful for when your collection of sites are on different domains.
For example:
mysanesite.com, myinsanesite.com, mycrazysite.com
You can choose to purchase a SSL cert,
you can use convergence (check out Moxie Marlinspikes talk on the subject),
or you can create a self signed one.
If you chose to create a self signed certificate
IIS 7.x
Click on the root machine node in the left tree view of IIS (7.x) manager.
Then double click the “Server Certificates” icon in the Features View.
This will show you all the certificates currently registered on the server.
You will be able to see in the Actions pane,
that you can Import or create your own certificate.
To create the self signed wild card certificate,
chose “Create Self-Signed Certificate…”.
Give it the friendly name *.site.com
Ok.
The certificate will be registered on you machine.
Now for each site you want to use the certificate for,
right click -> Edit Bindings… -> Add.
Select the Type to be https,
and select the certificate you just created from the SSL certificate drop down menu.
Ok -> Close.
Repeat these steps for the rest of the sites you want to share the certificate.
Using the appcmd utility
We now add the https binding and host information to our sites that need to share the wild card certificate.
Run a command prompt as administrator and
cd to %WINDIR%\system32\inetsrv
The format of the command looks like the following:
appcmd set site /site.name:"<your website name>" /+bindings.[protocol='https',bindingInformation='*:443:<your ssl domain>']
For our above three sites we wanted to use the same certificate,
mysane.site.com, myinsane.site.com, mycrazy.site.com
They may be named respectively:
mysane, myinsane, mycrazy
So for example,
we’d run the following commands:
appcmd set site /site.name:"mysane" /+bindings.[protocol='https',bindingInformation='*:443:mysane.site.com']
You should get feedback similar to the following:
SITE object "mysane.site.com" changed
if all goes well
appcmd set site /site.name:"myinsane" /+bindings.[protocol='https',bindingInformation='*:443:myinsane.site.com']
You should get feedback similar to the following:
SITE object "myinsane.site.com" changed
if all goes well
appcmd set site /site.name:"mycrazy" /+bindings.[protocol='https',bindingInformation='*:443:mycrazy.site.com']
You should get feedback similar to the following:
SITE object "mycrazy.site.com" changed
if all goes well
Although I normally keep it simple and name my sites the same as the URL (your ssl domain) I want to use.
IIS 6
Now this is a bit more work than with IIS 7.
If it’s not already installed, you’ll need the SelfSSL tool.
You can get this from the SSL Diagnostics Kit or the IIS 6.0 Resource Kit which contains lots of other stuff.
Once installed, run IIS.
Create the self signed wildcard certificate
You’ll need to generate the certificate for one existing IIS site.
For the first site take note of the site idendifier.
You can see this in the right pane when you select Web Sites from the server node in the IIS manager.
Open a command prompt, you’ll need to run the SelfSSL app.
Actually I think the easiest way to run this is Start menu -> All Programs -> IIS Resources -> SelfSSL -> SelfSSL.
The command string looks like this:
selfssl /n:cn=<your wild card domain> /s:<first website identifier> /P:<port you want to use> /v:<number of days to expiration>
So for example, we’d run the following command:
selfssl /n:cn=*.site.com /s:1 /P:443 /v:365
Options for SelfSSL
selfssl /?
some of them are:
/N: – This specifies the common name of the certificate. The computer name is used if there is no common name specified.
/K: – This specifies the key length of the certificate. The default is length 1024.
/V: – This specifies the amount of time the certificate will be valid for, calculated in days. The default setting is seven days.
/S: – This specifies the Identifier of the site, which we obtained earlier. The default will always be 1, which is the Default Web Site in IIS.
Assign the certificate to the sites that need it
This will start the IIS wizard.
Click Next -> Assign an existing certificate -> Next.
You should see the wild card certificate you created.
Select it, click next, and make sure you assign it the same port that was assigned to the first site.
Configure the SecureBindings
you’ll need to run the following command for each of the sites that require it.
My adsutil is found in C:\Inetpub\AdminScripts\
It’s probably not in your path, so you’ll have to run it from location.
cscript adsutil.vbs set /w3svc/<website identifier>/SecureBindings ":443:<your ssl domain>"
cscript adsutil.vbs set /w3svc/1/SecureBindings ":443:mysane.site.com"
Now if you need to remove a certificate from your store
Select the Certificates node, expand Personal, Certificates.
Now in the right window pane, you can manage the certificates.
Delete, Renew etc.
Binarymist 
April 14, 2012 at 17:58 |
Just added the section on IIS 6.
May 25, 2012 at 08:38 |
It seems it wasn’t that easy for me, would you know whats wrong from the following debug ouuptt?(14:41:09) proxy: Connected to omega.contacts.msn.com:443.(14:41:10) nss: subject=CN=*.contacts.msn.com,OU=MSN Contact Services,O=MSN,L=Redmond,ST=WA,C=US issuer=CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com(14:41:10) nss: partial certificate chain(14:41:10) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com(14:41:10) certificate/x509/tls_cached: Checking for cached cert (14:41:10) certificate/x509/tls_cached: Not in cache(14:41:10) certificate: Checking signature chain for uid=CN=*.contacts.msn.com,OU=MSN Contact Services,O=MSN,L=Redmond,ST=WA,C=US(14:41:10) certificate: Singleton. We’ll say it’s valid.(14:41:10) certificate/x509/tls_cached: Checking for a CA with DN=CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com(14:41:10) certificate: Failed to verify certificate for omega.contacts.msn.com(14:41:10) msn: Operation {} failed. No response received from server.
May 26, 2012 at 19:42 |
Um, you’d have to provide some more information.
What were your exact steps?
August 28, 2012 at 21:38 |
[…] Supporting multiple sites with a single SSL Certificate « Binarymist Using the appcmd utility […]
October 26, 2013 at 21:29 |
Is it possible to set also SSL certificate with this appcmd command line tool?
November 25, 2013 at 09:13 |
this was a big help. thank you!
July 15, 2014 at 11:52 |
Excelente! Muchas gracias por la ayuda!!
July 24, 2014 at 10:09 |
Is it normal after doing this in IIS 7 for there to be TWO binding rows now for https for each site? For example, after I do this on my server “mysane.site.com” would show two https bindings. In the “site bindings” dialog that shows them as a list, one has the host name filled in and the other doesn’t. If I bring either of them up with the edit button, they show the SSL certificate filled in but no host name. Weird. IIS certainly seems confused by this whole setup. It doesn’t look like they did a very good job of allowing the use of SSL with host headers!
September 19, 2014 at 08:47 |
To get it working ‘without’ a wildcard certificate (using GoDaddy SSL certificate) I edited the sites and filled in the host name on only one site. Both are bound to the SSL. Have two sites running, One has the host name filled in and the other does not. Didn’t work with both host names filled in.