1

I have a site with a SSL certificate. Now I need to add another site, also using HTTPS.

It seems it is possible to do by creating the binding for the new site using another port for the HTTP and HTTPS traffic. This I'd like to avoid, as adding exceptions in the firewalls is a lengthy process due to security policies.

The way I thought was possible to get around adding new ports was to add the site as a subdomain, and then change the SSL certificate to have an additional SAN name that matches the new subdomain.

I tried testing this on my local machine, but after adding the 443 port with the certificate on both sites, editing the host file to contain the subdomain, and then adding the subdomain as a hostname to the new iis website. Only one of the sites can be started, the other one complains that another site may be using the same port.

Questions:

  • I feel it should be possible to use the same certificate on a domain and a subdomain at the same time without jumping through hoops?
  • If the above is not possible, should I then add two new ports one for http and one for https, and then use those ports for the new site. The certificate should then be able to work for the new site correctly? - right?

EDIT:

Do I need another IP address for the new subdomain?

slm
  • 7,355
  • 16
  • 54
  • 72
Moulde
  • 123
  • 2
  • 7

3 Answers3

1

You can use a wildcard certificate for *.domain.com. There are some security issues with this (since anyone with a copy can create a new site and it will show as valid - for instance if you want company.com and store.company.com and someone gets your private key they can be store1.company.com and it will show as a valid site.

TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
1

On IIS7.5, two SSL-protected websites require a unique combination of ip address and port. So, you can share IP adress and use different ports, or you can use the same ports but then each site would need a separate ip address. You need to choose.

(btw, there is not problem assigning multiple ip address to a windows server box in order to accomplish this)

Trondh
  • 4,191
  • 23
  • 27
0

On IIS 7.5, you would need unique IP addresses. SNI is not supported before IIS 8.

Community
  • 1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940