Buy from the highest-rated provider   Buy SSL.com Certificate x

SSL Host Headers in IIS 7

SSL Host Headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site on each IP address to port 443 using an SSL certificate. If you try to bind a second site on the IP address to the same certificate, IIS 7 will give you an error when starting the site up stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers by following the instructions below.

What Type of SSL Certificate Do You Need?

Because you can only use one certificate, that certificate needs to work with all the hostnames of the websites that you use it with (otherwise you will receive a name mismatch error). For example, if each of your IIS 7 websites uses a subdomain of a single common domain name (like in the example below), you can get a Wildcard Certificate for *.mydomain.com and it will secure site1.mydomain.com, site2.mydomain.com, etc.

If, on the other hand, your IIS 7 sites all use different domain names (mail.mydomain1.com, mail.mydomain2.com, etc.), you will need to get a Unified Communications Certificate (also called a SAN certificate).

Setting up SSL Host Headers on IIS 7

  1. Obtain an SSL certificate and install it into IIS 7. For step-by-step instructions on how to do this, see Installing an SSL Certificate in Windows Server 2008 (IIS 7.0).

    Install SSL Certificate into IIS 7
  2. Once the certificate is installed into IIS, bind it to the first site on the IP address.

    Bind the SSL Certificate to the first site on the IP address
  3. Open the command prompt by clicking the start menu and typing “cmd” and hitting enter.
  4. Navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.
  5. In the Inetsrv folder, run the following command for each of the other websites on the IP address that need to use the certificate (copy both lines):

    appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']

    Replace <IISSiteName>  with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)

    Run AppCmd to bind the other sites to port 443 using the same certificate
  6. Test each website in a browser. It should bring up the correct page and show the lock icon without any errors. If it brings up the web page of the first IIS site, then SSL Host Headers haven’t been set up correctly.

If you need to set up multiple site to use a single SSL certificate on IIS 6 or Apache, see How To Configure SSL Host Headers in IIS 6. For more information about SSL Host Headers in IIS 7 see IIS 7.0: Add a Binding to a Site and SSL certificates on Sites with Host Headers.

Originally posted on Thu Feb 26, 2009

Comments


dossin(2014-12-13)

you rock great tutorial!

Robert(2014-12-13)

Hi Glenn,

You can't use two different SSL certificates with just one IP address. If you need to use two separate certificates, you'll need to have a unique IP for each site and then just install the certificates like normal (you won't need to set up SSL Host Headers)

jonhos(2014-12-13)

Great Post, still needing this in 2011

MS botched this part, glad you got it figured out

spills(2014-12-13)

You would think iis-7 would allow you set this up via management UI -- oh well. Your article saved me a whole lot of hassle -- thanks.

michael(2014-12-13)

Sorry. I can only add a host header with appcmd from the command line, not in the server manager. This field is always grayed out.

Michael

michael(2014-12-13)

After installing the certificate for one specific web site (say www.domain1.xy), I can access it via https. But when I call any other site (say www.domain2.xy) via https, I get redirected to the one site with the certificate.

When I edit the binding in the server manager, I can either add a host header or choose a certificate, but when I choose a certificate, the host header ist gone and the field is grayed out.

Any way to use a certificate for a web site AND a host header? Do I need a special kind of certificate for that? (I just created one for testing purposes).

Best wishes
Michael

Thanks
Michael

Scott Monaghan(2014-12-13)

I'm currently hosting several sites on a shared server, and one site has an SSL certificate.

The problem is when someone tries to access another site on my server with https://, it redirects to the SSL site since all incoming traffic over 443 is handled by that one website.

What I'd like to do is set up my server so it only accepts requests to 443 using the www.sslsite.com domain.

I was trying to use appcmd to accomplish this but I've had no luck. I'm able to create a binding, but as soon as I add the certificate in IIS it clears out the host name.

Any ideas?

Robert(2014-12-13)

Hi Scott,

I'm not aware of an easy way to do that other than moving the other sites to a different IP address. Because SSL maps to an IP address, it will always go to the site with the certificate no matter what name you use. You might be able to detect the name they are using and redirect somehow.

cbuzzsaw(2014-12-13)

To tell IIS 7 manager to allow you to edit the host headers for HTTPS bindings simple give your certificate a friendly name starting with an asterisk "*". This will tell the IIS GUI to unprotect the header field. Bizzare I know but it works...

Enjoy,
Chris

Robert(2014-12-13)

Hi Michael,

IIS doesn't allow you to add a hostname when setting up the binding for port 443. You just need to have a binding for port 80 with the appropriate hostname and then run the appcmd with that same hostname. You only bind the certificate to port 443 on one of the sites. The rest are bound using the appcmd.

Dave Armga(2014-12-13)

You can also define SSL based Host Headers in IIS7's UI. It turns out to be pretty easy!

Check out
http://blog.armgasys.com/?p=80

Hopefully this saves someone some time and grief.

Madman(2014-12-13)

Scott Monaghan:

Try this it worked for me:
It changes the hostheader / host name of an existing https binding

http://technet.microsoft.co...

cbuzzsaw(2014-12-13)

Oh, an important thing I forgot to mention while using the GUI to modify host headers, this only works if you have a single wildcard certificate for every site on the server. Otherwise, you will get a surpose with it updating all of your sites with the last bound certificate. Microsoft recommends using netsh and appcmd or setting the certificate ssl bindings and iis bindings, respectively. In certain instances the gui and the API will work but take precautions.

Good Luck,
cbuzzsaw

Robert(2014-12-13)

We're loading two HTTPS domains on one server, the outside world will see one IP address. One of the tech guys at VeriSign told me that IIS7 isn't friendly using one IP for multiple HTTPS domains. So... I landed here. Simple enough solution, but two questions.

1) Where the "Add Site Binding" has "IP Address" with a default of "All Unassigned", should I leave that or direct it to our servers IP (172.16.0.4)?

2) Is it important to put a Host name in? I saw in the AppCmd information that it has a space for a host name, but in the GUI information a host name was not added.

I appreciate the article and would appreciate any feedback.

Thanks,
Scott

Robert(2014-12-13)

Hi ScottDaytonOH,

1) You can leave "All Unassigned" if the server only has one IP address. Otherwise, I would enter the, IP address that the site will use?

2) The hostname is what allows the certificate to work on another IIS site. Currently the GUI doesn't allow you to enter a hostname for use with https which is why you need to use the command line.

Marco(2014-12-13)

The writer of this article should receive a statue. Configured in 10mins what took me already days in front to find out.

Parrotlover77(2014-12-13)

If you have a lot of IPs and a lot of sites on those different IPs, I find it a lot easier to just modify the existing HTTPS binding, with the certificate already selected, than to create a new one and hope it selects the right certificate (frequently it won't select any).

appcmd set site /site.name:"<iissitename>" /bindings.[protocol='https',bindingInformation='<ipaddress>:443:'].bindingInformation:<ipaddress>:443:<hostheadervalue>

Glenn(2014-12-13)

We have a non-wildcard SSL cert installed for our domain, www.ourdomain.com. All SSL requests are directed through port 444 via the load balancers. We have a subdomain, test.ourdomain.com in which we need to install a separate non-wildcard SSL Cert. We've purchased an SSL Cert with the CN test.ourdomain.com which is to be used for our subdomain.

I'm looking to confirm that my installation of the subdomains SSL Cert on IIS7 is correct; I believe it is thanks to this article. I created a new binding for test.ourdomain.com, using https on port 444 and I set the SSL Certificate to the test.ourdomain.com Cert which was an option in the drop down. Next, I ran the command:

appcmd set site /site.name: test.ourdomain.com /bindings.[protocol='https',bindingInformation='*:444:'].bindingInformation:*:444:test.ourdomain.com’

This then correctly set the host header of the existing binding to be test.ourdomain.com and thus requests to https://test.ourdomain.com will in turn use the non-wildcard SSL Cert test.ourdomain.com while the domain itself will continue to use the existing SSL Cert www.ourdomain.com. Again, just looking for confirmation that this sounds correct, thanks in advance!

Stian Sandberg(2014-12-13)

If you add a * to the friendly name of the wildcard certificate, you will be able to set tha host name in IIS. :)
http://blog.armgasys.com/?p=80

James Blackman(2014-12-13)

Thanks for this. Was pulling my hair out trying to configure this in IIS7.5

:)

Goycolea(2014-12-13)

for those that have their HostHeader Blocked for writing need to go to:

Launch the Microsoft Management Console (MMC)
Select Start, Run
Type in mmc and hit enter
From the console, select File, Add / Remove Snap-in
Select Certificates from the Add / Remove dialog
Select Computer Account when prompt for which certificates the snap-in will manager.
Select Local Computer when prompted
Click OK to add the Snap-in to the MMC
Locate your SSL certificate
For self-signed (SELFSSL), look in Personal
For installed / purchased, look in the appropriate folder the certificate was originally installed in
Right click on the certificate and select properties
Edit the Friendly Name field so the name starts with an *

everything else is ok on this tutorial, great job !!

but is important tha the friendly name starts with an * or else you won't me able to write your host header.

Goycolea

Savas(2014-12-13)

I have several sites hosted on the server, all sharing the same ip address. And have only one SSL certificate installed for one site.

My problem is:
The site that has ssl installed is: sslinstalledsite.com
so https://sslinstalledsite.com shows up correctly.

but if anyone types https://NOsslinstalledsite.com, the browser opens up https://Nosslinstalledsite.com, but shows the content of sslinstalledsite.com

Is there a way to stop this?

Z(2014-12-13)

Whats the command line syntax for IIS7 to add multiple domain names for the same binding? For example, in IIS6 we would just separate each domain with a space like this:

cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:www01.domain.com" ":443:www02.domain.com"

fuad(2014-12-13)

The correct command for IIS7 is:
appcmd set site /site.name:"my site"/+bindings.[protocol='https',bindingInformation='*:443:my.site.com']

Robert(2014-12-13)

Hi Savas,

Until SNI is fully supported, there is no way to stop that from happening. The best you could do it add some custom code to the SSL site that checks what URL was typed in and redirects to the right URL.

Matthieu(2014-12-13)

Really great post, very helpful!

One question though: why don't you specify a host header through the UI when you setup the first site?
This would avoid the problem that Savas reports, ie. having non-ssl sites redirected to the first ssl site, don't you think?

frederic(2014-12-13)

If you want to remove binding for a site using your wildcard SSL certificate, the only method we found that does not destroy all iis configuration, is to open the applicationHost.config file using notepad, and remove the 443 binding line manually. If you use the iis console, or any script method (that calls the DLL used by the console), you will lose ALL your wildcard https bindings links. Binding will still be there but they are not working.

Doug(2014-12-13)

if the websites are load balanced you can create them to use different ports. But you'll need to configure the networking correctly. Then you can install the certs for each site without other issues.

Dbo(2014-12-13)

Answer to Savas issue: blocking SSL... Look into URL Rewrite extension download from Microsoft for IIS.

Mathias(2014-12-13)

Hi,
I have 2 domains (www.domain1.com, www.domain2.com). For both I have a separate certificate. Both domains have the same IP, but a different hostheader. How can I add https with cert1 to domain1 and https with cert2 to domain2 (on the same IP)? Is it possible?
regards
Mathias

eltonnakamura(2016-07-05)

i have the same problem...

eltonnakamura(2016-07-06)

i have the same problem...can you help me?

Emre Ozcan(2018-03-02)

It is not possible on IIS 7.x version, you should upgrade the server and iis to never verison of 8.x

Luis Perez(2014-12-13)

I had to assign host names to SSL sites so often that I ended up creating a UI for it. It looks and feels just like the IIS UI except that it allows you to assign host names to SSL sites.

You can find it on my blog at simplygoodcode.com

Great article, thanks!

Jeff(2014-12-13)

Savas, try this:
Delete all bindings.
Follow step 2 above using a placeholder domain.
The placeholder domain should have one file: default.asp/default.aspx with a warning like "this site is off".
Then follow step 3 for all the sites that have SSLs.
Then https://Nosslinstalledsite.com and others will redirect to your placeholder domain with the warning.
Or you can code the default doc to read the SERVER_NAME variable and redirect to the non-SSL version of whatever site they requested.

Nate(2014-12-13)

Is it possible to just Delete the Site and then add it back in to remove the SSL binding from it? Or will this also affect other sites using the same SSL Wildcard Certificate?

VoxVote(2014-12-13)

When reading above comments, I thought, peace of cake, and yes, after some sweat and struggle, everything set up as needed.

Why was my not click and go: (this might help others as well)
- First of all the wildcard * in bindingInformation='*:443:sub1.yourdomain.com']
I had to change this to my dedicated / fixed IP. Created on first site, and on other sub sites.
- Also, the biggest problem was: The wrong certificate was automatically assigned. After removing the server certificate and installing it again, everything worked like a charm.

Thanks!
Vincent van Witteloostuyn
VoxVote
The Netherlands

Emrah(2014-12-13)

With lots of thanks from Istanbul, Turkey. I spent almost one day for this issue. And now, everything is ok. My www site and subdomain site are both working on the same SSL certificates that I installed IIS

Arnold(2014-12-13)

yes you should receive a statue and a medal

Jace(2014-12-13)

Hi,
2 sites in 1 IP (www.test.com & try.xxx.com)

A single SSL was already installed for www.test.com, now we want to install another SSL for try.xxx.com. would this be possible?

Sorry really new with IIS, btw we are using IIS 7.

Please help!

Thanks in advance…

Anderson(2014-12-13)

Thanks for your valuable posting.I have collect more than information from your website. It's really wonderful blog. please added more than tips. i'm working in a top company in chennai.Here providing very low price CMS , responsive webdesign and ERP. you have any more than information kindly make me call this number 044-42127512 or send your mail info@excelanto.com.

Kb Toi(2015-03-29)

Awesome

Ranga14(2016-02-06)

Whenever I attempted this I received a 500 - Internal server error after going back and attempting to view my web site.

Rafael Fischer(2017-02-02)

Fantastic! Thank you!

Advertisement • Hide