Buy from the highest-rated provider   Buy SSL.com Certificate x

How To Configure SSL Host Headers in IIS 6

If you need to set up SSL Host Headers for IIS 7 instead of IIS 6, see SSL Host Headers in IIS 7.

Because of the way that the SSL protocol works, it is normally necessary to have a unique IP address for each SSL certificate that you are using. This is because the host header information that tells the server which website to serve up and therefore which SSL certificate to use is encrypted and can't be unencrypted unless it knows which SSL certificate to use. It's like the "chicken and egg" problem. The Apache web server documentation explains the problem clearly.

If you have to use the same IP address for multiple sites, one simple solution is to just use different port numbers. For example:

https://site1.mysite.com
https://site2.mysite.com:8081
https://myothersite.com:8082

But doing it this way requires that you always visit the site using the port number and always reference it in links with the port number.

There is a more elegant method, if you have IIS 6.0 or later. That method is to use SSL Host Headers.

With SSL Host Headers, you will essentially use one SSL certificate for all of the sites that use SSL on a particular IP address. For this to work then, you will need to have either a Wildcard certificate or a Unified Communications Certificate. If all of the websites are subdomains of one domain name (e.g. site1.mysite.com, site2.mysite.com), you can use a Wildcard certificate. If there are completely different domain names (e.g. mysite.com, myothersite.com), you will need to use a Unified Communications Certificate.

The first step, if you haven't already done it, is to set up each of the websites with normal http host header values. You can do this by clicking the Advanced button next to the IP address when editing each website's properties in IIS. Just click the Edit button and add a domain name as the host header value.

Next, you will need to create a pending request on one of the websites and order the Wildcard or UC certificate from the certificate authority of your choice. Once you have a Wildcard or UC certificate that will work for all of the hostnames that are on the same IP address, you need to use it to complete the pending request on the website that you created it on. Then you just need to configure the SecureBindings metabase property on each of the other sites so it contains the host header name of the site. To do so, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Navigate to your IIS scripts directory by typing cd C:\Inetpub\AdminScripts Adjust the path to where the adsutil.vbs file is, if necessary.
  3. Type the following command at the command prompt:

    cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"

    <host header> is the host header value for the Web site (www.myothersite.com). <site identifier> is the IIS site ID displayed when looking at all the websites in IIS.

Find the site identifier by clicking on Web Sites in IIS

Type the command

Run that command for each of the websites that need to use that certificate. They will then use the same certificate that was install to the first site on the IP. A few more notes about SSL Host Headers in IIS 6 can be found here.

Apache

This same basic functionality (using a single certificate for multiple websites on the same IP address) can be acheived in Apache by simply adding this line to your Apache configuration file:

NameVirtualHost 192.168.1.1:443

This essentially instructs Apache to use the SSL certificate in the first Virtual Host for that IP address on all the other virtual hosts for the same IP address. You just need to make sure to use a certificate that will cover the names of all the sites as discussed above. View a sample configuration file demonstrating this.

Different Certificates on the Same IP address

It is generally not possible to use different SSL certificates on the same IP address. However, a modification to the SSL protocol, called Server Name Indication, allows the domain name to be passed as part of the TLS negotiation allowing the server to use the correct certificate even if there are many different sites using different certificates on the same IP address and port. Server Name Indication is supported by most modern web browsers but only a few web servers, such as Apache, Lighttpd, and Nginx, support it using special add-ons.

If you're feeling adventurous you can try using different certificates on the same IP address with Apache using one of these tutorials:

Originally posted on Sat Dec 8, 2007

Comments


Robert(2014-12-13)

It looks like your server can't find cscript.exe in its path for some reason so it is looking for it in the adminscripts folder and it is not there either. It should be located in the system32 directory so you could try this command:

"c:\windows\system32\cscript.exe" adsutil.vbs set /w3svc/<site identifier="">/SecureBindings ":443:<host header="">"

Otherwise, you'll have to find out where your cscript.exe file is on your version of Windows.

navyjax2(2016-07-15)

It gets installed into C:\inetpub\AdminScripts if you install the IIS Management Tools/Scripts in the IIS features/components.

Tim M(2014-12-13)

After entering cscript.exe adsutil.vbs set /w3svc/12345678/SecureBindings ":443:extranet"

is it possible to see what has been set up against each sharepoint site?

I use this article a great deal and up to now everything has always worked fine. I'm having a bit of an issue where I have a site with multiple headers.

Looking from IIS and Advanced Web Site Identification

Default 80 extranet.site.dnsalias.com
Default 80 extranet

SSL
Default 443

When you type "extranet" the DEFAULT website comes up
When you type "extranet.site.dnsalias.com" the extranet site comes up

------------ the intranet site below works correctly:

Default 80 intranet.site.dnsalias.com
Default 80 intranet

SSL
Default 443

When you type "intranet" the intranet website comes up
When you type "intranet.site.dnsalias.com" the intranet site comes up

Therefore I'm wondering if I've got something wrong wth the SSL config but I can't figure how to view the settings I've entered usng the command line: cscript.exe adsutil.vbs set /w3svc/12345678/SecureBindings ":443:extranet"

Perhaps I'm just barking up the wrong tree for this problem?

Robert(2014-12-13)

Hi Tim,

I don't know of any way to see the entries but you can use this command to enable a site to have multiple SSL Host Headers like you need (if you don't use this command, it will just overwrite the previous entry):

cscript.exe adsutil.vbs set /w3svc/<site identifier="">/SecureBindings ":443:<hostheader1>" ":443:<hostheader2>"

Keith Kramis(2017-04-17)

Thanks Robert, I have been searching for this command for hours. It works just as required. It amazes me that Microsoft didn't include this parameter option in the set syntax.

Savo Jr(2014-12-13)

Hi, thanks for info!
At first i had same issue about. I got it working after changing working DIR to where scripts are and giving path to cscript.exe from there.

.j

@ECHO OFF
CD c:\inetpub\adminscripts
%WINDIR%\system32\cscript.exe adsutil.vbs set /w3svc/SITEID-1/SecureBindings ":443:HOSTHEADER"

%WINDIR%\system32\cscript.exe adsutil.vbs set /w3svc/SITEID-2/SecureBindings ":443:HOSTHEADER"

navyjax2(2016-07-15)

If you're specifying "%WINDIR%\system32\cscript.exe" instead of the one in c:\inetpub\adminscripts, you don't need that CD line in there.

Clint(2014-12-13)

Thats maybe because your cscript.exe is probally a 64bit binary you pulled of a 64bit box and your attempting to launch it in a 32bit environment.

Kevin(2014-12-13)

In running your cscript example I get this error:
C:\inetpub\adminscripts\cscript.exe is not a valid Win32 application. Ideas?

navyjax2(2016-07-15)

Ensure you have done a 'cd' to the C:\inetpub\adminscripts directory, first, and ensure the application is there (if not, have you installed the IIS Management Scripts in the Web Server role features?). There's also a command you can run from that same directory: cscript.exe adsutil.vbs SET W3SVC\AppPools\Enable32BitAppOnWin64 "true"

Amrendra(2014-12-13)

Hi,
I am hosting application in ASP model and have single IP address and hosted muliple site, but not able configure different SLL for each site.
thanks
Amar

Ryan Reid(2014-12-13)

The only thing I found was that I needed to install the certificate first on each of the sites, then run the script, then restart IIS.

Thanks for the article. You might also mention that there is a way to turn on the 'require secure channel' using a similar script:

Scott(2014-12-13)

Run the script from the root\inetpub\adminscripts directory

Bill Monte(2014-12-13)

I followed the directions and it work perfectly, but on Safari on my mac it does not any ideas.

https://freddiemaccs.com

Thanks in advance

Ryan Reid(2014-12-13)

You can 'require' secure access using a similar script: cscript.exe adsutil.vbs set /w3svc/{site identifier}/AccessSSL TRUE.

Thanks, I've referenced this article on my blog: http://www.netquarry.com

Robert(2014-12-13)

Phil, it sounds like you are trying to connect to the second site (the one that is set to use port 444 for SSL) using normal https (which defaults to port 443). That is why it is getting the wrong certificate because any SSL connection on that IP address that uses port 443 will use that certificate. I wasn't able to connect to the site using port 444 but that is probably because it is being blocked by a firewall.

You will either need to forward port 444 and access the site with the port specified (https://yourseconddomain.com:444) or get a UC/SAN certificate that contains both domain names and set up SSL Host Headers using the instructions on this page.

shamal(2014-12-13)

Worked perfect for me.
Only related Websites and Application pools had to be restarted in my case.

phil(2014-12-13)

Can't get it to work as indicated in the top few paragraphs. Have several sites on one IP using headers. One of them has had ssl. Now trying to certify a second site. Installed the cert for the 2nd site in iis on port 444. The cert appears to be the right one, but accessing the page on port 444 indicates an error. Browser is getting the cert from the other site, which doesn't match. Two different ssl providers insist it can't be done on one isp, but the above indicates it can. Please help!

Nismoto(2014-12-13)

@Tim

You can view the entries by examining the MetaBase.xml file in %SystemRoot%\system32\inetsrv.

Robert(2014-12-13)

Hi Bill. Everything seems to check out when I test the certificate on https://freddiemaccs.com. What is the error that you are getting on Safari on Mac? If it is an alder version, it may not have the trusted roots that GoDaddy used to sign the certificate.

QMan(2014-12-13)

THANKS to the person who posted this...works GREAT

Robert(2014-12-13)

Hi Dan,

Can you post more information about the exact commands that you ran? Were the sites working before you ran commands? Does it only give you the error when you start the IIS site?

dan(2014-12-13)

This all sounds simple enough, but I am getting "The Parameter Is Incorrect" after I run the cscript and attempt to start the sites. Anyone else run into this? In order for the sites to even work, I have to remove 443 from the "SSL Port" field in IIS 6.

Carson(2014-12-13)

Phil,

I have run into the same issue you are working with and I can tell you that it does not work. You can set up as many sites on one IP with SSL as long as it is under one certificate. If you have more than one certificate, you must use another IP address. This script enables a user to configure multiple sites using the same IP and certificate. Those SSL providers were correct in what they told you.

dan(2014-12-13)

We have a Godaddy "UCC" certificate which enables us to have multiple domain names on the same IP and bound to port 443. Last week, I had to renew it. I had to generate a new CSR because godaddy now requires 2048 bit encryption instead of the old 1024.

I was able to get the certificate and install it in IIS 6 on all three of my domain names. Prior to this, all three certs were working (they just happened to expire 11/7/09 -- not sure if the new 2048 bit requirement has anything to do with it but I doubt it). However, I could only get one of the sites to "work" at once -- the other 2 weren't able to "start" in IIS and reported the following error: "The Parameter Is Incorrect" (also another error I encountered during this frantic process was "cannot create a file when that file already exists", but I cannot confirm how or when exactly it happened (was intermittent)).

Here is what I did in summary:

1. Installed the certificate(s). I can view the certs via IIS from the Directory Security Tab - shows valid dates expiring 11/2010 on all 3 domains.
2. On web server (IIS 6), opened a command prompt, changed directory to c:\inetpub\adminscripts and ran a script for each domain that needs to be bound to port 443. The script(s) are:

cscript.exe adsutil.vbs set /w3svc/1367670614/SecureBindings ":443:<1st domain name>:
PRESSED ENTER
cscript.exe adsutil.vbs set /w3svc/938810307/SecureBindings ":443:<2nd domain name>:
PRESSED ENTER
cscript.exe adsutil.vbs set /w3svc/1847112758/SecureBindings ":443:<3rd domain name>:
PRESSED ENTER

That should have been it, after those three scripts are ran, I restarted IIS, then I should be able to right-click the website in IIS and Start, but that doesn't work. Get popup <the parameter="" is="" incorrect="">

When I do this, the sites stop and cannot be started and report "The Parameter Is Incorrect" when I attempt to start them. In order to get the sites working (without SSL) I just removed 443 from the website properties so it wouldn't even try to bind to port 443. When I add 443 back in, the site stops itself.

Appreciate any help you've got Robert. I'm at a loss.

Dan

Robert(2014-12-13)

You can only apply the SSL certificate to one of the sites in IIS. You have to enable the other sites on the command line.

1. Remove the certificate and port 443 from the website properties of site 2 and site 3.
2. On the command line run these two commands (make sure there is a quote at the end instead of a colon like in the examples you posted before):
cscript.exe adsutil.vbs set /w3svc/938810307/SecureBindings ":443:<2nd domain name>"
cscript.exe adsutil.vbs set /w3svc/1847112758/SecureBindings ":443:<3rd domain name>"
3. Make sure all the sites are started and test them in the browser (you may need to restart the sites).

If that still doesn't work, shoot me an email at webmaster at this domain.

navyjax2(2016-07-15)

Every site using SSL needs its own certificate set in the IIS Bindings section. You can use a wildcard cert on any number of sites, and you must use it on every site you wish to grant SSL/443 capabilities. A site doesn't magically get SSL without having a certificate, or by another site having the cert. Then yes, each site must have the SecureBindings command ran, like you correctly pointed out.

Mart(2014-12-13)

Hello,

i have a problem for which after a lot of googling i am out of options in finding a solution...

First of all, we try to implement SSL Host Headers (of course :-) using a wildcard SSL certificate, which was succesfully imported on the server, running IIS 6.0.

We want to use this certificate run on multiple websites, the certificate itself is *.website.nl wildcard, for the following websites...

rpnet.website.nl
test.rpnet.website.nl
jaar2007.rpnet.website.nl

The website 'rpnet.website.nl' is working fine, with an https connection and all. All the other websites first give a 'There is a problem with this website's security certificate' warning and when you click continue 'The webpage cannot be found'.

I first tought the problem where the hostnames of the other websites, jaar2007.rpnet.website.nl for example, while the wildcard propably only works for rpnet.website.nl and alikes. To counter this, i set jaar2007.rpnet.website.nl to rpnet2007.website.nl, correct the hostheader, rerun adsutil after removing the old securebinding, restarted the webserver and did everything what i can think of to be sure the settings are correct. Without results, still the same issues...

I am really REALLY out of options here. Is there anybody out there who have a clue ?

Very very much thanks in advance,

Mart

navyjax2(2016-07-15)

Each site needs to have the certificate included in its IIS Bindings section, but don't put the host header here - leave it blank. Each site then needs the SecureBindings command ran, individually, using their appropriate site identifier and host header - this is where it will get enforced. Restarting the web sites in between each command run generally helps to enforce the command.

Robert(2014-12-13)

Hi Mart,

Can you access the site without Https? A wildcard certificate for *.website.nl will only secure first level so it willalways give a name mismatch error if you use it on jaar2007.rpnet.website.nl. Try checking the certificate at http://www.sslshopper.com/s... after installing it and see if it reports any problems.

Robert(2014-12-13)

Anyway to make this work in IIS 5?

I tried the SecureBindings, but this doesn't seem to work...just keeps going to main web.

Robert(2014-12-13)

As far as I am aware, you must have IIS 6 or higher. This can't be done in IIS 5

Robert(2014-12-13)

Hi Rashimi,

Make sure you only assign the certificate to one of the IIS websites. Otherwise they will conflict for port 443. You only run the command for the website that doesn't have the certificate installed on it. You can check that the certificate is being given out correctly here: http://www.sslshopper.com/s...

navyjax2(2016-07-15)

Actually, if you have a certificate that matches the name on a site (i.e. cert #1= public1.domain.com, cert #2 = public2.domain.com), you just place each cert on its respective site and run the SecureBindings command for each. There is no "conflict" on port 443 to resolve. That is the point of host headers - they resolve to different sites. It's just like if you did it on port 80 - not much different except you have certificates to create with the name matching that of the site and install the certs.

Rashmi(2014-12-13)

hi
This is really a very helpful post, we have exactly same requirement , what i did was crreated host headers for my two websites sharing 80, 443 ports.

For SSL i have wildcard certificate, I have selected it for both of the sites and run the script

cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:xyz.domain.com"

cscript.exe adsutil.vbs set /w3svc/80248314/SecureBindings ":443:abc.domain.com"

After that I have restarted IIS and tried running websites, without SSL both runs great, but when i try to ON SSL, it gives me "Internet Explorer cannot display the webpage"

Any clues?

Regards
Rashmi

Terry(2014-12-13)

Hello,I need to have SSL configured for two DIFFERENT domain names and cannot figure out how. I read through the posts but ...

Site 1 = support.123.com 10.0.0.1
Site 2 = support.ABC.com 10.0.0.2

I have configured two IIS sites and applied SSL certs to each according to their domain.

When I hit the web site https://support.123.com all works as expected. The other site gives the warning to continue.

I have run the following commands and when I use the GET statement the results are correct.

cscript.exe adsutil.vbs set /w3svc/2/SecureBindings ":443:support.123.com"
cscript.exe adsutil.vbs set /w3svc/1239553289/SecureBindings ":443:support.ABC.com"

Any help will be greatly appreciated.

Robert(2014-12-13)

Hi Terry,

If both of the domains are on the same external IP address, you need to get one certificate that has both names in is (a UC certificate). You could also put one of the sites on another IP address and use two certs.

Dony Jose(2014-12-13)

Hi,
I have an issue in the ssl configuration. I have 2 websites, say http://domain1.com and http://domain2.com, and both the websites has its own unique SSL certificates also. I need to know whether I can put this two certificates and website in same server.

Regards,
Dony Jose

navyjax2(2016-07-15)

Yes. Each site will need to have the SecureBindings command ran for each of them. Ensure you put in the correct site identifier when running the scripts. Each site should probably have its own IP assigned. Traffic would have to be routed appropriately (e.g. DNS, hosts file, router forwarding, etc.).

Robert(2014-12-13)

Hi Dony,

You can currently only have one certificate per IP. You either need to get another IP address or get a Unified Communications certificate that includes the names of both sites and follow the instructions on this page.

Swathi(2014-12-13)

Thanks for posting a very useful information. However i did something and now whole webserver is down.

IIS has SSL certificate already installed on it. I was trying to configure the SecureBindings metabase for SSL host header to point to “exact” host name for the site so that it shows up in service base address. -

It was accessing private domain address instead of public one

I was trying to change the URL in wsdl from https://Privatedomain.com/ to https://public.domain.com/

I ran the following script
cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:public.domain.com"

After that I have restarted IIS and tried running websites, with or without SSL, it gives me "Internet Explorer cannot display the webpage"

I realize now that i used "1" in place of <site identifier=""> which is for default website. Please help me in fixing this issue.
I appreciate any help.

Thanks & Regards,
Swathi

navyjax2(2016-07-15)

You have to re-run the command and specify the correct identifier of the web site you are trying to set your binding onto. You also have to have a certificate that has "public.domain.com" as its friendly/common name. You'll have to make sure the binding is removed from your Default Web Site (ID 1) by installing the IIS 6 Resource Kit (don't worry, it will work if you use IIS 7+) and open the Metabase Explorer it installs and drill down into W3SVC\1 and clear the SecureBindings property there.

ssllogic(2014-12-13)

Hi, I have purchased an SSL Certificate from ssllogic.com and i am struggling to maintain it out there as i am not much familiar about SSL Certificates

sdpcrAdmin(2014-12-13)

Hi,

Thanks for posting this. The instructions are straight forward and the solution worked great for our wild card certificates!

Thanks!

SDPCR

Robert(2014-12-13)

Great article, been really helpful. However I want to create a certificate request from IIS that contains a list of host headers in it. So my cert should contain www.mysite.com and www.myothersite.com (one in the common name and the other in the SAN extension). I have my own CA hierarchy so I can issue the cert but it has to be requested with all the host values it represents in the first place. I've followed your guide upstairs and configured the two host values against the same ip address. I then use the IIS snap-in to create a new cert request (I've deleted the old one so as to have a clean slate) and when I use openssl to view that request I can see that it does not have the SAN extension in there - essentially the request only requests for the first web site (cn) but not for the other one. Is it possible to get IIS to do this? Your article talks about UCCs but not how I can get IIS to generate a request for one. Any ideas? Thanks Martin

jason(2014-12-13)

hey guys, i have a UCC cert and i used the tutorial to setup ssl host headers, but it defaults to the "any" ip

i need to define the SSL host headers AND use a specific IP

possible in IIS6?

navyjax2(2016-07-15)

Yes. Same procedure as above, but in your IIS bindings section, you specify the IP instead of "All Unassigned". You'll need a DNS entry ('A' host record) that maps the name in your cert to that IP.

žoge(2014-12-13)

Excellent advice fixed my problem after my boss almost hang me, since the old settings suddenly stoped working:)

Bryan(2014-12-13)

Thanks so much, this is a very straightforward and incredibly useful solution. I talked to 5 different GoDaddy techs, and not one knew this was possible. You saved us from installing 20 additional IP's on our server. Cheers!

Z(2014-12-13)

What is the process of renewing a wildcard SSL certificate? I have 5 websites in IIS6 all of which are using SSL hostheaders. Initially when I set it up last year I assigned the certificate to the first site and then ran the script for all sites (including the first) and things were working fine. Now its come time to renew - do I just renew the same initial first site and then everything else will remain working? Anything else?
Thanks!

navyjax2(2016-07-15)

When you renew the cert, you have to remove the old cert and import the new. This shouldn't have an effect on the SSL bindings.

Robert(2014-12-13)

Hi Z,

I'm not 100% sure, but I think you just need to renew the cert on one site and then run the csxript.exe commands for each of the other sites again.

Robert(2014-12-13)

I have tried to renew a certificate on IIS. after adding the cert to the MMC when i restart the cert is renewed on the console of IIS but the URL still shows the old cert.
When i remove the old cert from the MMC then the URL becomes inaccessible giving " page cannot be fund error"

Eyal(2014-12-13)

I have two websites:

1. EN.2send.co.il
2. 2send.co.il

Both are working fine with HTTP

But when using in browser HTTPS the EN version loads for both of them.

I am using wildcard SSL with host headers configuration as described you your guide.

I cannot find the solution anywhere any idea? Thanks.

Michael Torres(2018-04-11)

question,
can i use both websites at the same time without error like "parameter is incorrect" when i assign host header?

Advertisement • Hide