How To Configure SSL Host Headers in IIS 6

If you need to set up SSL Host Headers for IIS 7 instead of IIS 6, see SSL Host Headers in IIS 7.

Because of the way that the SSL protocol works, it is normally necessary to have a unique IP address for each SSL certificate that you are using. This is because the host header information that tells the server which website to serve up and therefore which SSL certificate to use is encrypted and can't be unencrypted unless it knows which SSL certificate to use. It's like the "chicken and egg" problem. The Apache web server documentation explains the problem clearly.

If you have to use the same IP address for multiple sites, one simple solution is to just use different port numbers. For example:

https://site1.mysite.com
https://site2.mysite.com:8081
https://myothersite.com:8082

But doing it this way requires that you always visit the site using the port number and always reference it in links with the port number.

There is a more elegant method, if you have IIS 6.0 or later. That method is to use SSL Host Headers.

With SSL Host Headers, you will essentially use one SSL certificate for all of the sites that use SSL on a particular IP address. For this to work then, you will need to have either a Wildcard certificate or a Unified Communications Certificate. If all of the websites are subdomains of one domain name (e.g. site1.mysite.com, site2.mysite.com), you can use a Wildcard certificate. If there are completely different domain names (e.g. mysite.com, myothersite.com), you will need to use a Unified Communications Certificate.

The first step, if you haven't already done it, is to set up each of the websites with normal http host header values. You can do this by clicking the Advanced button next to the IP address when editing each website's properties in IIS. Just click the Edit button and add a domain name as the host header value.

Next, you will need to create a pending request on one of the websites and order the Wildcard or UC certificate from the certificate authority of your choice. Once you have a Wildcard or UC certificate that will work for all of the hostnames that are on the same IP address, you need to use it to complete the pending request on the website that you created it on. Then you just need to configure the SecureBindings metabase property on each of the other sites so it contains the host header name of the site. To do so, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Navigate to your IIS scripts directory by typing cd C:\Inetpub\AdminScripts Adjust the path to where the adsutil.vbs file is, if necessary.
  3. Type the following command at the command prompt:

    cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"

    <host header> is the host header value for the Web site (www.myothersite.com). <site identifier> is the IIS site ID displayed when looking at all the websites in IIS.

Find the site identifier by clicking on Web Sites in IIS

Type the command

Run that command for each of the websites that need to use that certificate. They will then use the same certificate that was install to the first site on the IP. A few more notes about SSL Host Headers in IIS 6 can be found here.

Apache

This same basic functionality (using a single certificate for multiple websites on the same IP address) can be acheived in Apache by simply adding this line to your Apache configuration file:

NameVirtualHost 192.168.1.1:443

This essentially instructs Apache to use the SSL certificate in the first Virtual Host for that IP address on all the other virtual hosts for the same IP address. You just need to make sure to use a certificate that will cover the names of all the sites as discussed above. View a sample configuration file demonstrating this.

Different Certificates on the Same IP address

It is generally not possible to use different SSL certificates on the same IP address. However, a modification to the SSL protocol, called Server Name Indication, allows the domain name to be passed as part of the TLS negotiation allowing the server to use the correct certificate even if there are many different sites using different certificates on the same IP address and port. Server Name Indication is supported by most modern web browsers but only a few web servers, such as Apache, Lighttpd, and Nginx, support it using special add-ons.

If you're feeling adventurous you can try using different certificates on the same IP address with Apache using one of these tutorials:

 Digg  del.icio.us  Reddit

Posted on December 07, 2007
Showing comments 1 to 20 of 43 | Next | Last
Eyal
Posts: 28
Comment
IIS load wrong website on HTTPS
Reply #43 on : Wed June 12, 2013, 11:09:19
I have two websites:

1. EN.2send.co.il
2. 2send.co.il

Both are working fine with HTTP

But when using in browser HTTPS the EN version loads for both of them.

I am using wildcard SSL with host headers configuration as described you your guide.

I cannot find the solution anywhere any idea? Thanks.
cpaul002
Posts: 1
Comment
ssl
Reply #42 on : Thu July 26, 2012, 04:10:38
I have tried to renew a certificate on IIS. after adding the cert to the MMC when i restart the cert is renewed on the console of IIS but the URL still shows the old cert.
When i remove the old cert from the MMC then the URL becomes inaccessible giving " page cannot be fund error"
Robert
Posts: 12
Comment
Re: Renewing a wildcard SSL
Reply #41 on : Wed January 04, 2012, 10:45:09
Hi Z,

I'm not 100% sure, but I think you just need to renew the cert on one site and then run the csxript.exe commands for each of the other sites again.
Z
Posts: 28
Comment
Renewing a wildcard SSL
Reply #40 on : Tue January 03, 2012, 21:31:37
What is the process of renewing a wildcard SSL certificate? I have 5 websites in IIS6 all of which are using SSL hostheaders. Initially when I set it up last year I assigned the certificate to the first site and then ran the script for all sites (including the first) and things were working fine. Now its come time to renew - do I just renew the same initial first site and then everything else will remain working? Anything else?
Thanks!
Bryan
Posts: 28
Comment
Worked Like a Charm!
Reply #39 on : Tue October 25, 2011, 13:14:06
Thanks so much, this is a very straightforward and incredibly useful solution. I talked to 5 different GoDaddy techs, and not one knew this was possible. You saved us from installing 20 additional IP's on our server. Cheers!
martincorr
Posts: 1
Comment
Requesting Certificate with SAN in IIS6
Reply #38 on : Wed April 13, 2011, 12:06:25
Great article, been really helpful. However I want to create a certificate request from IIS that contains a list of host headers in it. So my cert should contain www.mysite.com and www.myothersite.com (one in the common name and the other in the SAN extension). I have my own CA hierarchy so I can issue the cert but it has to be requested with all the host values it represents in the first place. I've followed your guide upstairs and configured the two host values against the same ip address. I then use the IIS snap-in to create a new cert request (I've deleted the old one so as to have a clean slate) and when I use openssl to view that request I can see that it does not have the SAN extension in there - essentially the request only requests for the first web site (cn) but not for the other one. Is it possible to get IIS to do this? Your article talks about UCCs but not how I can get IIS to generate a request for one. Any ideas? Thanks Martin
žoge
Posts: 28
Comment
Excellent advice
Reply #37 on : Wed March 30, 2011, 06:46:31
Excellent advice fixed my problem after my boss almost hang me, since the old settings suddenly stoped working:)
Last Edit: March 30, 2011, 10:28:18 by Robert  
sdpcrAdmin
Posts: 28
Comment
Works Great!
Reply #36 on : Thu March 10, 2011, 17:49:39
Hi,

Thanks for posting this. The instructions are straight forward and the solution worked great for our wild card certificates!

Thanks!

SDPCR
jason
Posts: 28
Comment
ssl host headers and specify ip
Reply #35 on : Thu August 12, 2010, 16:49:17
hey guys, i have a UCC cert and i used the tutorial to setup ssl host headers, but it defaults to the "any" ip

i need to define the SSL host headers AND use a specific IP

possible in IIS6?
ssllogic
Posts: 28
Comment
SSL Certificate
Reply #34 on : Fri May 28, 2010, 05:29:07
Hi, I have purchased an SSL Certificate from ssllogic.com and i am struggling to maintain it out there as i am not much familiar about SSL Certificates
Robert
Posts: 12
Comment
Re: SSL sertificate issue
Reply #33 on : Fri May 07, 2010, 10:44:18
Hi Dony,

You can currently only have one certificate per IP. You either need to get another IP address or get a Unified Communications certificate that includes the names of both sites and follow the instructions on this page.
Dony Jose
Posts: 28
Comment
SSL sertificate issue
Reply #32 on : Thu May 06, 2010, 05:24:53
Hi,
I have an issue in the ssl configuration. I have 2 websites, say http://domain1.com and http://domain2.com, and both the websites has its own unique SSL certificates also. I need to know whether I can put this two certificates and website in same server.

Regards,
Dony Jose
Swathi
Posts: 28
Comment
webserver is down
Reply #31 on : Wed April 28, 2010, 12:20:38
Thanks for posting a very useful information. However i did something and now whole webserver is down.

IIS has SSL certificate already installed on it. I was trying to configure the SecureBindings metabase for SSL host header to point to “exact” host name for the site so that it shows up in service base address. -

It was accessing private domain address instead of public one

I was trying to change the URL in wsdl from https://Privatedomain.com/ to https://public.domain.com/

I ran the following script
cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:public.domain.com"


After that I have restarted IIS and tried running websites, with or without SSL, it gives me "Internet Explorer cannot display the webpage"

I realize now that i used "1" in place of <site identifier> which is for default website. Please help me in fixing this issue.
I appreciate any help.

Thanks & Regards,
Swathi
Robert
Posts: 12
Comment
Re: Different Domains - Same IIS Server
Reply #30 on : Tue April 27, 2010, 19:35:38
Hi Terry,

If both of the domains are on the same external IP address, you need to get one certificate that has both names in is (a UC certificate). You could also put one of the sites on another IP address and use two certs.
Terry
Posts: 28
Comment
Different Domains - Same IIS Server
Reply #29 on : Tue April 27, 2010, 13:00:49
Hello,I need to have SSL configured for two DIFFERENT domain names and cannot figure out how. I read through the posts but ...

Site 1 = support.123.com 10.0.0.1
Site 2 = support.ABC.com 10.0.0.2

I have configured two IIS sites and applied SSL certs to each according to their domain.

When I hit the web site https://support.123.com all works as expected. The other site gives the warning to continue.

I have run the following commands and when I use the GET statement the results are correct.

cscript.exe adsutil.vbs set /w3svc/2/SecureBindings ":443:support.123.com"
cscript.exe adsutil.vbs set /w3svc/1239553289/SecureBindings ":443:support.ABC.com"

Any help will be greatly appreciated.
Robert
Posts: 12
Comment
Re: Rashimi
Reply #28 on : Sun February 07, 2010, 20:29:15
Hi Rashimi,

Make sure you only assign the certificate to one of the IIS websites. Otherwise they will conflict for port 443. You only run the command for the website that doesn't have the certificate installed on it. You can check that the certificate is being given out correctly here: http://www.sslshopper.com/ssl-checker.html
Rashmi
Posts: 28
Comment
My websites does not work with SSL
Reply #27 on : Sun February 07, 2010, 01:37:25
hi
This is really a very helpful post, we have exactly same requirement , what i did was crreated host headers for my two websites sharing 80, 443 ports.

For SSL i have wildcard certificate, I have selected it for both of the sites and run the script


cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:xyz.domain.com"


cscript.exe adsutil.vbs set /w3svc/80248314/SecureBindings ":443:abc.domain.com"

After that I have restarted IIS and tried running websites, without SSL both runs great, but when i try to ON SSL, it gives me "Internet Explorer cannot display the webpage"

Any clues?

Regards
Rashmi
Robert
Posts: 12
Comment
Re: Anyway to do this in IIS 5
Reply #26 on : Fri January 15, 2010, 19:22:50
As far as I am aware, you must have IIS 6 or higher. This can't be done in IIS 5
jcalka
Posts: 1
Comment
Anyway to do this in IIS 5
Reply #25 on : Fri January 15, 2010, 16:23:17
Anyway to make this work in IIS 5?

I tried the SecureBindings, but this doesn't seem to work...just keeps going to main web.
Robert
Posts: 12
Comment
Re: Difficulties to get SSL Host Headers working
Reply #24 on : Thu November 19, 2009, 08:49:03
Hi Mart,

Can you access the site without Https? A wildcard certificate for *.website.nl will only secure first level so it willalways give a name mismatch error if you use it on jaar2007.rpnet.website.nl. Try checking the certificate at http://www.sslshopper.com/ssl-checker.html after installing it and see if it reports any problems.
Showing comments 1 to 20 of 43 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment