4

This may sound a little stupid, but I'm more of a dev guy than a server admin and I am incredibly boneheaded when it comes to IIS. So please bear with me here.

I currently have a client that has a dedicated 2K3 box running IIS6. They are hosting one site on this box, with two domains resolving to that site (domain1.com, domain2.com). The site is stored in the typical C:\Inetpub\www folder. In addition, there is a section of the site that is protected by SSL. There are two SSL certs, one for each domain.

When a user goes to https: // domain1 . com, everything is fine. However, when the user goes to https: // domain2 . com, Internet Explorer kicks up a security warning. Obviously, this is not what we want. (I had to put spaces in the URL because ServerFault won't let me post more than one URL at a time since I'm new here).

Here is a bit of information as best as I can give it about the site setup in the IIS Manager.

There are two sites listed here, "domain1.com" and "Administration". When I go into the properties for domain1.com, the IP address has a value of "(All Unassigned)".

Under Advanced, "domain2.com" is listed with an IP address of "Default". Also, in "Multiple SSL identities for this Web site" there is one entry with the IP address of "Default" and the standard SSL port of 443.

I can view the certificate for domain1.com under "Directory Security > View Certicate". It appears everything is OK there.

So, to recap: I am trying to set up separate SSL certificates for separate domains that both lead to the same place. Is this possible? If anyone can explain the process to me (and dumb it down as much as possible) or at least point me in the right direction, it would be greatly appreciated.

Please let me know if this doesn't make any sense, or if I didn't provide you with enough (or the right) information.

Charles Chadwick
  • 63
  • 1
  • 6

4 Answers4

5

You can't use virtual hosts with SSL, so to host two sites both using SSL you have to have 2 ip addresses, each one with a specific host and ssl cert bound to it.

In short you need 2 ip addresses on your server, one bound to domain1.com, and one bound to domain2.com, and 2 IIS sites one for domain1.com, and one for domain2.com. They can both serve up the same content, but will need to be separate sites.

Apache supports something called SNI (see here) which allows you to do vhosts with SSL but this isn't support by IIS currently.

Whisk
  • 1,883
  • 1
  • 16
  • 21
  • 2
    In addition to using multiple IPs, you can have a single IP but different (obviously non-standard) ports, and then have a proxy in accelerator mode in front of the server to accept incoming requests and direct them to the correct IP and/or port number. – Max Alginin Nov 03 '09 at 22:41
  • IIS kind of has support if you use wildcard domains like *.domain.com. This was introduced in Server 2003 R2. IIS Manager doesn't support it but you can use adsutil or edit metabase.xml directly. It's quirky and you need to make sure that you understand what it's doing, that's why the IIS team haven't enabled it in IIS7 Manager either yet. However, as recommended, having a dedicated IP and site per domain name is the ideal solution and the only clean solution for 2 different domain names (domain1.com and domain2.com). – Scott Forsyth Nov 03 '09 at 23:16
0

You can use a SNI SSL Certificate. It's allow you to have any website with the same IP address because no IP check will occur, but Host HTTP/1.1 header will be checked to verify SSL certificate.

PS: Old browsers can't check SNI SSL certificates nor transparent proxys with interception.

Aristóteles Machado
  • 71
  • 1
  • 1
0

I'm unable to comment, but IIS most certainly does support SNI (just not IIS 6, which is now more than ten years old). Please see the following post for a very informative discussion of SNI: Multiple SSL domains on the same IP address and same port? Note that SSL 3.0 is now considered insecure due to the Heartbleed vulnerability anyway, so TLS 1.0 should be the minimum supported encryption, making the only downside that it requires HTTP 1.1, which isn't much of a requirement.

Community
  • 1
James
  • 363
  • 2
  • 4
  • 16
0

The best solution is to use a Unified Communications certificate that allows you to include multiple domains in one certificate. Just include both domains in the certificate and you're done. No need to worry about extra IP address or different ports, etc.

Robert
  • 1,575
  • 7
  • 7
  • I've seen these called wildcard certs in the past (allows for *.domain.com all hosted on the same box). – Milner Nov 04 '09 at 16:26
  • 1
    A wildcard cert can serve the same purpose if all the hostnames that need to be secured are on a single base domain (mail.domain.com, www1.domain.com, etc.) In this case, he would need a UC cert because he needs to secure two different base domains (domain1.com and domain2.com). – Robert Nov 05 '09 at 14:30