1

Possible Duplicate:
Multiple SSL domains on the same IP address and same port?

I have the following situation:

  • first domain: test.domain.com
  • IP: 1.2.3.4
  • Port: 443
  • SSL: Purchased from godaddy and specific to that domain
  • Works fine no issues.

I would like to add another site:

  • test2.domain.com
  • IP: the same
  • Port: can be different
  • SSL: different since I can't use the SSL above because it's specific to the site above.

Now, when I add the HTTPS binding to the second site with IP:Port combination it appears to always load the first SSL ignoring the second certificate.

How can I add second SSL binding to the same IP using a "different" certificate? Can this be done?

Community
  • 1
kadourah
  • 11
  • 2
  • Not actually an exact duplicate. Judging by the flags (and the fact that I found this page on Google by looking for **that** exactly) this question is focused on IIS 7 while the question linked above is focused on Apache. I'm interested in IIS support for SNI – usr-local-ΕΨΗΕΛΩΝ Jan 08 '12 at 19:41

2 Answers2

1

With most of current software you can't have different certificates on the server for the same IP (modern TLS versions have extension for handling this problem, but most clients don't use it yet). So your only options are (a) obtain certificate for several domains (wildcard certificate or alike) or get additional IPs for the system.

Eugene Mayevski 'Callback
  • 266
  • 2
  • 4
  • With godaddy, you can get a UCC certificate which has multiple domains – Steven Feb 19 '11 at 22:43
  • 1
    You use of the word "most" is dubious. IE 7+, Firefox, Chrome, Opera, Safari, the list goes on. Now, IE on WinXP does not support SNI but the competition does. – Phil P Feb 20 '11 at 00:55
  • @Phil P you name the browsers, and there exists numerous other software (whose share can be even larger, than browsers' one) and this software isn't updated as frequently as browsers (and even browsers are not in corporate environments). – Eugene Mayevski 'Callback Feb 20 '11 at 09:40
  • The OP said port 443, thus it's web traffic. If it's not browsers, it's dedicated tools and the provider of the service gets to dictate API requirements, including SNI. – Phil P Feb 20 '11 at 22:14
  • 1
    @Phil "web traffic" doesn't mean browsers. If it's not browsers, it can be any other HTTPS client, not necessarily custom service with capabilities to dictate anything. – Eugene Mayevski 'Callback Feb 21 '11 at 08:55
0

You could get a Wildcard SSL Cert. That way it would handle all domain names at *.domain.com.

But, the real problem has more to do with webserver configuration. With Apache, you can't have different names for a SSL encrypted server. You would have to run a second SSL encrypted server with a different port. With a different port, you could actually use the same name.

Bael
  • 1