0

I want to apply a certificate to one of my sites on IIS. At the moment, I use a single IP address and use host-headers, to give them friendly names. Can I do this for my SSL site or do I have to use the server name?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
serialhobbyist
  • 451
  • 3
  • 7
  • 16

4 Answers4

1

If each hostname is a subdomain of a single base domain (mail.domain1.com, www.domain1.com), you can use a wildcard certificate with SSL Host Headers. If they are different (domain1.com and domain2.com), you can use a Unified Communications certificate. See http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html for how to set up SSL Host Headers in IIS.

Robert
  • 1,575
  • 7
  • 7
1

Strictly speaking, you do not have to use a wildcard certificate (and many CAs would refuse to issue one), you could use a certificate with all your friendly host names listed in subjectAltName extension of the certificate. This way you could use one certificate for all your host names and avoid wildcard certificates. Anyway, HTTPS RFC recommends checking host name against subjectAltName if it is present, and not against certificate's subject.

Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Community
  • 1
abbot
  • 213
  • 1
  • 2
  • 9
0

So long as your certificate has a wildcard in it.

Quentin
  • 1,117
  • 6
  • 10
0

Yes, you can use a Name-based virtual hosting, but with some fairly strong provisos

  1. If you want to embrace the bleeding edge and don't care about support for old browsers, you can use Server Name Indication (SNI) (if supported by your web server and clients). This means that the client will inform the server (when its first starting to talk about SSL) which name it believes it should be talking to.

  2. If your list of sites doesn't change much, and you can't afford to rely on SNI, then you can use a SAN (Subject Alternate Name) certificate that matches multiple names. The names don't even to have any any common domain. (Have a look at the certificate for https://google.com/ and you'll see a lot of names listed)

  3. If you want to have a lot of names (perhaps dynamically generated), then a wildcard certificate ("*.example.com", which would match anything under *.example.com). There are limitations to that though.

  4. Otherwise, you need to have different IP addresses, and create suitable bindings in your webserver config to say that IP_x uses Certificate_x, which chews through public addresses and is the thing of last resort really.

Cameron Kerr
  • 3,919
  • 18
  • 24