0

I have two sub domains pointing at the same IP address i.e.

sub1.example.com

sub2.example.com

Each sub domain maps to a site (let's say sub1 and sub2, respectively) in IIS 7.5 on Windows server 2008 R2. Both sites are non-production sites (a dev and a release candidate).

What I'd like to do is enable HTTPS on both sites via SSL certificate(s) and have access to both sites on port 443. I have downloaded SelfSSL7 in order to generate certificate(s) to use, but I am having trouble with understanding how all the pieces go together.

As I understand it, I need to enable a HTTPS binding for each site via 

Right Click -> Edit Bindings... -> Add Https binding

Going this route does not allow one to edit the Host Name, which in the case of sub1.example.com I believe I need to set to sub1.example.com.

I can generate a certificate with SelfSSL7 on the command line using

SelfSSL7 /N cn=sub1.example.com /K 2048 /V 3650 /I /S "sub1" /P443 /A * /T

This adds the certificate under the Server Certificates in IIS 7.5 and also adds it as the certificate to use for site sub1. The Host name under the HTTPS binding for sub1 is still blank however.

Now, If I go and attempt to generate another certificate for sub2 using the above command (and substituting the cn name and site name appropriately), a message comes up

SSL Binding for *:443: already exists. Use /Q to overwrite

If I understand correctly, the first certificate that I have generated is being used for any host headers that come through on port 443. The end result being that a request to either https://sub1.example.com or sub2.example.com are both going to the sub1 site.

How can I configure this correctly for what I'd like to do. I'm either missing a step or I misunderstand how certificates work. Any help would be greatly appreciated and I can add more details if necessary.

bertie-bassett
  • 3
  • 1
  • 2

1 Answers1

0

No, you cannot do it -- IIS does not support different certificates on the same port -- only one unique SSL Certificate per IP:port pair (search on this site -- plenty of answers for similar questions, for example: Using several SSL certificates on same IP with IIS 7 ).

Basically you have 2 choices:

  1. Put each site on different HTTPS port: for example 444. You access such site with port number included in URL (which is perfectly fine when used for development or when putting non-important site on SSL) -- http://sub2.example.com:444/

  2. Generate/Obtain wildcard certificate (*.example.com). This site has instructions how then one such certificate can be used by multiple sites: http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

Community
  • 1
LazyOne
  • 3,014
  • 1
  • 16
  • 15
  • thanks. I thought that I may have to have only one wildcard certificate. SelfSSL7 doesn't appear to generate a wildcard cert though, are there any other (free) tools available that can generate one? I don't want to pay for a cert for dev/staging purposes only. – bertie-bassett Jul 08 '11 at 12:43
  • 1
    I went with the IIS 7.5 `Create Self Signed Certificate` in the end, with a name of `*.example.com`. This works and allows me to set the host name on the HTTPS binding on each site. It would be good if one could also control the `cn` names associated with the generated certificate, but I can live with this. Thanks for your help, very much appreciated :) – bertie-bassett Jul 08 '11 at 12:54
  • @bertie-bassett I guess that you can mark my answer as accepted then (if it was useful) :) – LazyOne Jul 08 '11 at 14:04
  • @LaztOne - Done! – bertie-bassett Jul 08 '11 at 17:42