54

Consider a Win 2008 SP2 machine with IIS7. The task is to apply a certificate and host name to the one and only Site on this machine. The site's host headers need to be abc.123.example.com

The first step was installing the .pfx to the Personal Store, which was successful.

IIS7 finds the cert as available, but won't allow the entry of a host name. The host name textbox is ALWAYS disabled/greyed out, even before selecting my cert. I've even deleted the default port 80 binding.

Site Bindings

Question: how can I set a host name for this site? Is it a matter of this cert being a wildcard cert? I understand that the SSL request comes into the web server, and the host header in the packet is encrypted. Why then would IIS6 allow the host header to be specified, but IIS7 not?

Update: The cert isn't part of the problem. I've created a new Site on the machine, and when choosing https binding, the host name textbox is disabled.

Joel Coel
  • 12,910
  • 13
  • 61
  • 99
p.campbell
  • 4,397
  • 6
  • 40
  • 51

11 Answers11

51

Its does work in GUI...

Just make sure the the 'friendly name' of the cert you are installing is the same as the multidomainname you have made for the cert.

ie. *.companydomain.com

if you put in 'Nice friendly name' for *.companydoman.com cert, when installing the cert into IIS, it will grey out the host name header box.

If you use *.companyname.com as the friendly name, you're golden.

Boom.

chicks
  • 3,639
  • 10
  • 26
  • 36
Lindsay Rex
  • 511
  • 4
  • 2
  • 17
    Thank you for this tip! In case anybody else can't rename a cert from IIS (can anybody?) you can rename the cert in the MMC snap-in for Certificates. Just load MMC, add Certificates snap-in, select Computer Account, Local Computer. Once you've loaded the Certificates snap-in you can browse to Certiifcates (Local Computer) > Personal > Certificates and right click to select Properties on your cert. Change the Friendly name field to *.yoursite.com and reload the IIS manager snap-in – Garrett Mar 01 '13 at 01:45
  • 6
    The friendlyname only seems to need to start with "*" but can contain whatever other name you want for it after that. In my case I had a cert valid for several different domains that didn't have a common root other than *.com and giving that as the friendly name seemed odd. So, I ended up calling it *-my-descriptive-name-here instead. And thanks @Garrett for the rename tip! – wojtow Oct 07 '15 at 21:15
  • 1
    This is the real answer. Nice – Joe Phillips Aug 18 '16 at 18:06
  • @Garrett Does this mean that if I have used a friendly name like 'My Domain SSL', things will still work, even though the host name field is blank. It really freaked me out when I lost my host names, but my 4 wildcard sub domains seem to work fine with the reissued SSL? Clearly using '*.mydomain.com' as a friendly name just allows you to see the host name, but under the hood, both options should work. Otherwise, IIS should be explicitly telling us to use a qualified domain name & not a friendly name? – Charles Robertson Sep 05 '19 at 12:46
34

You can't do it from the UI, you have to do it from the command line. Here's a nice walk through of the process:

http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 36
    handy trick, give the cert a friendly name starting with '*' an IIS won't gray out the host-header box: http://blog.armgasys.com/?p=80 – russau Aug 04 '10 at 04:22
  • 1
    I know this is old, and it is only in a comment, but this handy trick saved me some frustration. Thank you! – Brian Pursley Aug 17 '18 at 00:37
  • Since you clearly can do this from the UI, (see other answer) this answer should be removed, or at least updated. – NiKiZe Jun 01 '20 at 00:23
  • `1.` You can't add a host header in the way the OP needed to, as pointed out in the answer you're referring to. `2.` This question and answer are 11 years old. Nobody is looking at this question and answer any longer. – joeqwerty Jun 01 '20 at 00:56
10

The short answer is that each IP can only have one certificate bound to it, so the certificate binding is going to apply no matter what hostname is directed to that IP address. Being able to specify a hostname would imply that you can have multiple hostname and certificate combinations on the same IP address and port (as you can with non-SSL entries), but this is not the case, so the field is unavailable.

The more complete explanation is that SSL encrypts your traffic, and part of that traffic is the HTTP headers sent by the browser to the server. One of those headers would be the "Host" header which IIS uses to determine which site to load up with the request. Since the certificate needs to be loaded to establish the secure connection BEFORE the request headers are sent, IIS has to select the certificate based only upon the IP address and port number, leaving the "Host" header out in the cold as a factor in determining which site to load, so they don't let you enter one.

Here is an article which outlines the inner workings of the SSL connection in finer detail.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
Justin Scott
  • 8,748
  • 1
  • 27
  • 39
  • Thanks for this answer, Justin. I am still unsure why IIS7 doesn't let me specify a host header, even when I pick one of the IP addresses in the list. IIS6 does without any problems. As mentioned, this is the one and only site on the machine. – p.campbell Dec 23 '09 at 02:56
  • 2
    Host headers can work with a wildcard cert, or a multi-domain "UC" cert: http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html. In this case the server only has 1 cert to serve even tho there is multiple hostnames. – russau Aug 04 '10 at 04:24
  • Very clear explanation. +1 – Dan Solovay Oct 03 '17 at 02:24
  • This is not true in later versions of IIS that support `SNI` – NiKiZe Jun 01 '20 at 00:26
9

The SSLShopper answer did not work for me because it left the binding without the host header, and you couldn't remove that binding without breaking the connection to the certificate. Here is the method I used to get it to work:

Please note that this answer assumes that your certificate has already been generated, added to the certificate store, and added to IIS. It also assumes you do not want any other bindings to your website besides the SSL one.

First, we need to gather some information. We need the hash, the application ID and the host name.

Steps

  1. Open IIS, select your server and double click on "Server Certificates" in the bottom section. Note the "Issued To" address. This is our host name. Save this.
  2. Select your site
  3. Bind your site to port 80 using the http protocol
  4. Remove all other bindings
  5. Bind your site to port 443 using the https protocol
  6. Open a command prompt

    netsh http show sslcert
    
  7. Save the Certificate Hash and the Application ID

  8. Remove the https binding on your site
  9. At the command prompt:

    netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>}
    
    appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']
    

Note: Appcmd.exe can be found in C:\Windows\System32\inetsrv. You may need to be in that folder for this command to work.

  1. Remove the http binding from your site
Rekby
  • 103
  • 4
  • Thanks! This helped me finally get my site working in HTTPS. I corrected a typo in one of the commands, but I had to add the Steps heading to get past the minimum length requirements. Feel free to remove that - your original answer is easy to follow. Cheers! – potatopeelings Mar 10 '16 at 08:09
  • This worked for me with a certificate with 6 SANs (not a wildcard certificate) with a slight variation because I had multiple sites. I had to do steps 1 to 7 once. Step 8 had to be done on each site. The first command of step 9 had to be done once and the second command of step 9 had to be done once per site. – Steve Kaye Jul 18 '18 at 08:31
5

The accepted answer here is confusing and I don't think it's correct for the question. It shouldn't be the accepted answer.

The problem

You have a wildcard SSL such as *.ipsum.com and the certificate is installed but you can't choose a host name for the site in IIS when you try to add an HTTPS binding because the text box is greyed out.

The solution

Your wildcard SSL can be used with any subdomain, you just need to make sure you start the Friendly Name of the certificate with *. I prefer to use the same friendly name as the wildcard domain, e.g. *.ipsum.com but you can call it anything that beings with the asterix: *foo

I gave my certificate the wrong Friendly Name, help!

Since Windows 8 or Server 2012, you can type certlm.msc in the start menu to manage certificates for the local machine. On previous versions of windows you will need to do something slightly more convoluted:

  1. Run mmc.exe from start
  2. Go to File menu and choose Add/Remove Snap-in... or hit (Ctrl-M)
  3. Highlight the Certificates snap-in and hit Add > then choose Computer Account followed by Local Computer in the subsequent dialogs then hit Finish followed by OK to close the Snap-ins window

In the main window, expand Certificates (Local Computer) then Personal then Certificates and you will be able to right-click the certificate, hit Properties where you can update the friendly name.

Close and open IIS Manager and you can then set your host name.

Zac
  • 151
  • 1
  • 2
  • 1
    It did the trick! – Kreker Jun 11 '18 at 08:34
  • 1
    @Zac Awesome. Awesome. Awesome. Although I don't actually think it matters if the host name field is blank, it gave me more peace of mind. Please bear in mind, that I was re-issueing my certificate. So my host name was already in the host name field before it went blank. My wildcard SSL seemed to work with either a friendly name or .*mydomain.com type name. I think IIS keeps an internal record of the host name, after the host name field goes blank. I thought I should mention this, in case people are freaking out! – Charles Robertson Sep 05 '19 at 13:01
  • 1
    @Zac Oh. And this solution works on dinosaur servers like Windows 2008R2... – Charles Robertson Sep 05 '19 at 13:03
  • @CharlesRobertson very glad this helped, and thanks for adding that supplementary info! – Zac Sep 06 '19 at 16:31
2

Actually, you can add a host header via the gui, but it depends on how the certificate is named ... if I give a friendly name of *.xyz.com to my wildcard cert, and select that cert, then i'm able to use the gui. if the friendly name is something like xyzwildcard, and I choose that, then it grays out the hostheader field...

Weird weird

tialen
  • 21
  • 1
1

Some machines won't let you edit the host name if the protocol is changed to https or after adding an SSL certificate. IIS can be grumpy at times.

This Windows command will create a new binding with protocol "https", on port "443", host name "subdomain.domain.com", site name "site name". Change those values (in quotes) to meet your requirements. You will then need to delete the old binding if its using port 443.

Run Windows Command Prompt as Administrator

C:>cd C:\Windows\System32\inetsrv

C:\Windows\System32\inetsrv>appcmd set site /site.name:"site_name" /+bindings.[protocol='https',bindingInformation='*:443:subdomain.domain.com']

MacGyver
  • 1,864
  • 7
  • 37
  • 50
0

Hostname can be added only when the friedlyname of the selected Certificate will be like hostname *.xyz.com and You can rename certificate friendly name to *.xyz.com from mmc(Snap-in).

Umer Khan
  • 1
  • 1
-1

Why MS takes this OUT of the GUI is beyond me, since, if you have an ASP.NET application that makes use of license files (licx), your site will not work because it shows up as an IP address instead of a domain name. They need to STOP ASSUMING on every new release of their software - IT people do not need to be babysitted by Microsoft! Geez!

-1

I think this KB article will shed some light on the issue. In a nutshell HTTP 1.1 host headers are not supported when you use SSL.

What will probably accomplish what you want is to use the SecureBindings metabase key. E.g. cscript.exe adsutil.vbs set /w3svc/websiteID/SecureBindings "ip.ip.ip.ip:443:abc.123.mysite.com

Jim B
  • 23,938
  • 4
  • 35
  • 58
-2
  1. I created a self signed certificate with *.testcompany.com, I selected the newly created (starting with *) in the Edit binding SSL Certificate drop down, I got the host name text box enabled, created the host name as 'webapi.b2c.com',

  2. I updated the hosts file in C:\Windows\System32\drivers\etc 127.0.0.1 webapi.b2c.com

Now I am able to browse the site as 'https://webapp.b2c.com/'