11

On IIS 7.5 I am trying to achieve this with two websites:

Default Web Site is bound to:

(blank host header port 80 - http)
(blank host header port 443 - https)
go.example.com
www71.example.com
the IP address of go.example.com

2nd web site "Beta" is bound to:

beta.example.com
(blank host header port 443 - https)
* using blank only because it doesn't seem to be possible to 
  bind https to a named host header

And both need to work with SSL. But I have these problems:

  1. When I type in beta.example.com, I see the go.example.com site instead
  2. I can not seem to add the SSL binding to both websites at once (I have a single *.example.com wildcard certificate). The beta site will not even start if I add the https binding to it.

This is how I have set it up:

enter image description here

What is the correct way to set it up?

JK01
  • 339
  • 2
  • 7
  • 16

3 Answers3

8

Without SNI extensions, you can bind only one SSL certificate per IP:port pair. If you need to run 2 HTTPS on the same IP -- bind them to different ports and then refer to such site providing port in URL (e.g. https://beta.example.com:444/). You can use the same wildcard certificate on different ports without any issue.

If you have more than one site with blank host name (for HTTP protocol), then the one with lower ID should be a "catch all". The same goes for HTTPS -- the one with lower ID should intercept all requests on that port.

On another hand, you have a wildcard certificate and I have seen one article which tells that this can be done in IIS7: http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html . I tried it myself in the past, but it did not worked well for me -- quite often IIS was throwing a 5xx error when accessing even static files (which stopped happening when we bind another host to a different port). Maybe it has been fixed since then.

Chris F Carroll
  • 187
  • 2
  • 9
LazyOne
  • 3,014
  • 1
  • 16
  • 15
4

Although this is an older question, I had a need to accomplish the same thing just recently. It can be done under IIS 7.x by use of Subject Alternate Name certificates. These certificates are preferable to wildcards because it will restrict itself to only the sites specifically listed, thus mitigating attacks based on spoofing a bogus site name within a domain captured under a wildcard.

Once the SAN certificate is imported into IIS, you can use the appcmd tool to specify the additional binding or manually edit applicationHost.config within the section, eg

<site name="SomeSite" id=9>
   <bindings>
     <binding protocol="http" bindingInformation="*:80:SomeSite"/>
     <binding protocol="https" bindingInformatoin="*:443:SomeSite" />
   </bindings>
</site>
David W
  • 181
  • 8
3

Server Name Indication is not yet supported in IIS 7 or 7.5. Hopefully they will implemented this feature in the next IIS: http://forums.iis.net/p/1161905/1923273.aspx

Jozef Izso
  • 196
  • 7