Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

How To Configure SSL Host Headers in IIS 6

If you need to set up SSL Host Headers for IIS 7 instead of IIS 6, see SSL Host Headers in IIS 7.

Because of the way that the SSL protocol works, it is normally necessary to have a unique IP address for each SSL certificate that you are using. This is because the host header information that tells the server which website to serve up and therefore which SSL certificate to use is encrypted and can't be unencrypted unless it knows which SSL certificate to use. It's like the "chicken and egg" problem. The Apache web server documentation explains the problem clearly.

If you have to use the same IP address for multiple sites, one simple solution is to just use different port numbers. For example:

https://site1.mysite.com
https://site2.mysite.com:8081
https://myothersite.com:8082

But doing it this way requires that you always visit the site using the port number and always reference it in links with the port number.

There is a more elegant method, if you have IIS 6.0 or later. That method is to use SSL Host Headers.

With SSL Host Headers, you will essentially use one SSL certificate for all of the sites that use SSL on a particular IP address. For this to work then, you will need to have either a Wildcard certificate or a Unified Communications Certificate. If all of the websites are subdomains of one domain name (e.g. site1.mysite.com, site2.mysite.com), you can use a Wildcard certificate. If there are completely different domain names (e.g. mysite.com, myothersite.com), you will need to use a Unified Communications Certificate.

The first step, if you haven't already done it, is to set up each of the websites with normal http host header values. You can do this by clicking the Advanced button next to the IP address when editing each website's properties in IIS. Just click the Edit button and add a domain name as the host header value.

Next, you will need to create a pending request on one of the websites and order the Wildcard or UC certificate from the certificate authority of your choice. Once you have a Wildcard or UC certificate that will work for all of the hostnames that are on the same IP address, you need to use it to complete the pending request on the website that you created it on. Then you just need to configure the SecureBindings metabase property on each of the other sites so it contains the host header name of the site. To do so, follow these steps:

  1. Click Start, click Run, type "cmd" in the Open box, and then click OK.
  2. Navigate to your IIS scripts directory by typing "cd C:\Inetpub\AdminScripts". Adjust the path to where the adsutil.vbs file is, if necessary.
  3. Type the following command at the command prompt:

    cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"

    <host header> is the host header value for the Web site (www.myothersite.com). <site identifier> is the IIS site ID displayed when looking at all the websites in IIS.

Find the site identifier by clicking on Web Sites in IIS

Type the command

Run that command for each of the websites that need to use that certificate. They will then use the same certificate that was install to the first site on the IP. A few more notes about SSL Host Headers in IIS 6 can be found here.

Apache

This same basic functionality (using a single certificate for multiple websites on the same IP address) can be acheived in Apache by simply adding this line to your Apache configuration file:

NameVirtualHost 192.168.1.1:443

This essentially instructs Apache to use the SSL certificate in the first Virtual Host for that IP address on all the other virtual hosts for the same IP address. You just need to make sure to use a certificate that will cover the names of all the sites as discussed above. View a sample configuration file demonstrating this.

Different Certificates on the Same IP address

It is generally not possible to use different SSL certificates on the same IP address. However, a modification to the SSL protocol, called Server Name Indication, allows the domain name to be passed as part of the TLS negotiation allowing the server to use the correct certificate even if there are many different sites using different certificates on the same IP address and port. Server Name Indication is supported by most modern web browsers but only a few web servers, such as Apache, Lighttpd, and Nginx, support it using special add-ons.

If you're feeling adventurous you can try using different certificates on the same IP address with Apache using one of these tutorials:

Digg Slashdot del.icio.us Reddit furl

Posted on December 07, 2007
Showing comments 1 to 10 of 28 | Next | Last
Robert
Posts: 8
Comment
Re: Rashimi
Reply #28 on : Sun February 07, 2010, 19:29:15
Hi Rashimi,

Make sure you only assign the certificate to one of the IIS websites. Otherwise they will conflict for port 443. You only run the command for the website that doesn't have the certificate installed on it. You can check that the certificate is being given out correctly here: http://www.sslshopper.com/ssl-checker.html
Rashmi
Posts: 18
Comment
My websites does not work with SSL
Reply #27 on : Sun February 07, 2010, 00:37:25
hi
This is really a very helpful post, we have exactly same requirement , what i did was crreated host headers for my two websites sharing 80, 443 ports.

For SSL i have wildcard certificate, I have selected it for both of the sites and run the script


cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:xyz.domain.com"


cscript.exe adsutil.vbs set /w3svc/80248314/SecureBindings ":443:abc.domain.com"

After that I have restarted IIS and tried running websites, without SSL both runs great, but when i try to ON SSL, it gives me "Internet Explorer cannot display the webpage"

Any clues?

Regards
Rashmi
Robert
Posts: 8
Comment
Re: Anyway to do this in IIS 5
Reply #26 on : Fri January 15, 2010, 18:22:50
As far as I am aware, you must have IIS 6 or higher. This can't be done in IIS 5
jcalka
Posts: 1
Comment
Anyway to do this in IIS 5
Reply #25 on : Fri January 15, 2010, 15:23:17
Anyway to make this work in IIS 5?

I tried the SecureBindings, but this doesn't seem to work...just keeps going to main web.
Robert
Posts: 8
Comment
Re: Difficulties to get SSL Host Headers working
Reply #24 on : Thu November 19, 2009, 07:49:03
Hi Mart,

Can you access the site without Https? A wildcard certificate for *.website.nl will only secure first level so it willalways give a name mismatch error if you use it on jaar2007.rpnet.website.nl. Try checking the certificate at http://www.sslshopper.com/ssl-checker.html after installing it and see if it reports any problems.
Mart
Posts: 18
Comment
Difficulties to get SSL Host Headers working
Reply #23 on : Thu November 19, 2009, 05:40:33
Hello,

i have a problem for which after a lot of googling i am out of options in finding a solution...

First of all, we try to implement SSL Host Headers (of course :-) using a wildcard SSL certificate, which was succesfully imported on the server, running IIS 6.0.

We want to use this certificate run on multiple websites, the certificate itself is *.website.nl wildcard, for the following websites...

rpnet.website.nl
test.rpnet.website.nl
jaar2007.rpnet.website.nl

The website 'rpnet.website.nl' is working fine, with an https connection and all. All the other websites first give a 'There is a problem with this website's security certificate' warning and when you click continue 'The webpage cannot be found'.

I first tought the problem where the hostnames of the other websites, jaar2007.rpnet.website.nl for example, while the wildcard propably only works for rpnet.website.nl and alikes. To counter this, i set jaar2007.rpnet.website.nl to rpnet2007.website.nl, correct the hostheader, rerun adsutil after removing the old securebinding, restarted the webserver and did everything what i can think of to be sure the settings are correct. Without results, still the same issues...

I am really REALLY out of options here. Is there anybody out there who have a clue ?

Very very much thanks in advance,

Mart
Robert
Posts: 8
Comment
Re: How To Configure SSL Host Headers in IIS 6
Reply #22 on : Fri November 13, 2009, 17:44:03
You can only apply the SSL certificate to one of the sites in IIS. You have to enable the other sites on the command line.

1. Remove the certificate and port 443 from the website properties of site 2 and site 3.
2. On the command line run these two commands (make sure there is a quote at the end instead of a colon like in the examples you posted before):
cscript.exe adsutil.vbs set /w3svc/938810307/SecureBindings ":443:<2nd domain name>"
cscript.exe adsutil.vbs set /w3svc/1847112758/SecureBindings ":443:<3rd domain name>"
3. Make sure all the sites are started and test them in the browser (you may need to restart the sites).

If that still doesn't work, shoot me an email at webmaster at this domain.
Last Edit: November 13, 2009, 17:48:06 by Robert  
dan
Posts: 18
Comment
Re: How To Configure SSL Host Headers in IIS 6
Reply #21 on : Thu November 12, 2009, 22:49:26
We have a Godaddy "UCC" certificate which enables us to have multiple domain names on the same IP and bound to port 443. Last week, I had to renew it. I had to generate a new CSR because godaddy now requires 2048 bit encryption instead of the old 1024.

I was able to get the certificate and install it in IIS 6 on all three of my domain names. Prior to this, all three certs were working (they just happened to expire 11/7/09 -- not sure if the new 2048 bit requirement has anything to do with it but I doubt it). However, I could only get one of the sites to "work" at once -- the other 2 weren't able to "start" in IIS and reported the following error: "The Parameter Is Incorrect" (also another error I encountered during this <i>frantic</i> process was "cannot create a file when that file already exists", but I cannot confirm how or when exactly it happened (was intermittent)).

Here is what I did in summary:

1. Installed the certificate(s). I can view the certs via IIS from the Directory Security Tab - shows valid dates expiring 11/2010 on all 3 domains.
2. On web server (IIS 6), opened a command prompt, changed directory to c:\inetpub\adminscripts and ran a script for each domain that needs to be bound to port 443. The script(s) are:

cscript.exe adsutil.vbs set /w3svc/1367670614/SecureBindings ":443:<1st domain name>:
PRESSED ENTER
cscript.exe adsutil.vbs set /w3svc/938810307/SecureBindings ":443:<2nd domain name>:
PRESSED ENTER
cscript.exe adsutil.vbs set /w3svc/1847112758/SecureBindings ":443:<3rd domain name>:
PRESSED ENTER

That should have been it, after those three scripts are ran, I restarted IIS, then I should be able to right-click the website in IIS and Start, but that doesn't work. Get popup <the parameter is incorrect>

When I do this, the sites stop and cannot be started and report "The Parameter Is Incorrect" when I attempt to start them. In order to get the sites working (without SSL) I just removed 443 from the website properties so it wouldn't even try to bind to port 443. When I add 443 back in, the site stops itself.

Appreciate any help you've got Robert. I'm at a loss.

Dan
Robert
Posts: 8
Comment
Re: not working -- THE PARAMETER IS INCORRECT
Reply #20 on : Thu November 12, 2009, 17:37:20
Hi Dan,

Can you post more information about the exact commands that you ran? Were the sites working before you ran commands? Does it only give you the error when you start the IIS site?
dan
Posts: 18
Comment
not working -- THE PARAMETER IS INCORRECT
Reply #19 on : Thu November 12, 2009, 14:32:05
This all sounds simple enough, but I am getting "The Parameter Is Incorrect" after I run the cscript and attempt to start the sites. Anyone else run into this? In order for the sites to even work, I have to remove 443 from the "SSL Port" field in IIS 6.
Showing comments 1 to 10 of 28 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment