Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

SSL Host Headers in IIS 7

SSL Host Headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site on each IP address to port 443 using an SSL certificate. If you try to bind a second site on the IP address to the same certificate, IIS 7 will give you an error when starting the site up stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers by following the instructions below.

What Type of SSL Certificate Do You Need?

Because you can only use one certificate, that certificate needs to work with all the hostnames of the websites that you use it with (otherwise you will receive a name mismatch error). For example, if each of your IIS 7 websites uses a subdomain of a single common domain name (like in the example below), you can get a Wildcard Certificate for *.mydomain.com and it will secure site1.mydomain.com, site2.mydomain.com, etc.

If, on the other hand, your IIS 7 sites all use different domain names (mail.mydomain1.com, mail.mydomain2.com, etc.), you will need to get a Unified Communications Certificate (also called a SAN certificate).

Setting up SSL Host Headers on IIS 7

  1. Obtain an SSL certificate and install it into IIS 7. For step-by-step instructions on how to do this, see Installing an SSL Certificate in Windows Server 2008 (IIS 7.0).

    Install SSL Certificate into IIS 7
  2. Once the certificate is installed into IIS, bind it to the first site on the IP address.

    Bind the SSL Certificate to the first site on the IP address
  3. Open the command prompt by clicking the start menu and typing “cmd” and hitting enter.
  4. Navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.
  5. In the Inetsrv folder, run the following command for each of the other websites on the IP address that need to use the certificate (copy both lines):

    appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']

    Replace <IISSiteName>  with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)

    Run AppCmd to bind the other sites to port 443 using the same certificate
  6. Test each website in a browser. It should bring up the correct page and show the lock icon without any errors. If it brings up the web page of the first IIS site, then SSL Host Headers haven’t been set up correctly.

If you need to set up multiple site to use a single SSL certificate on IIS 6 or Apache, see How To Configure SSL Host Headers in IIS 6. For more information about SSL Host Headers in IIS 7 see IIS 7.0: Add a Binding to a Site and SSL certificates on Sites with Host Headers.

Digg Slashdot del.icio.us Reddit furl

Posted on February 26, 2009
Madman
Posts: 9
Comment
Change an existing HTTPS Bindung Hostsname/Hostheader
Reply #11 on : Mon July 12, 2010, 09:34:44
Scott Monaghan:

Try this it worked for me:
It changes the hostheader / host name of an existing https binding

http://technet.microsoft.com/en-us/library/cc753195%28WS.10%29.aspx
Dave Armga
Posts: 9
Comment
Host Headers SSL via the UI
Reply #10 on : Thu June 24, 2010, 14:54:44
You can also define SSL based Host Headers in IIS7's UI. It turns out to be pretty easy!

Check out
http://blog.armgasys.com/?p=80

Hopefully this saves someone some time and grief.
cbuzzsaw
Posts: 9
Comment
IIS 7 does allow you to edit host headers for SSL...caveat
Reply #9 on : Wed June 16, 2010, 13:28:44
Oh, an important thing I forgot to mention while using the GUI to modify host headers, this only works if you have a single wildcard certificate for every site on the server. Otherwise, you will get a surpose with it updating all of your sites with the last bound certificate. Microsoft recommends using netsh and appcmd or setting the certificate ssl bindings and iis bindings, respectively. In certain instances the gui and the API will work but take precautions.

Good Luck,
cbuzzsaw
cbuzzsaw
Posts: 9
Comment
IIS 7 does allow you to edit host headers for SSL...
Reply #8 on : Wed June 16, 2010, 12:31:10
To tell IIS 7 manager to allow you to edit the host headers for HTTPS bindings simple give your certificate a friendly name starting with an asterisk "*". This will tell the IIS GUI to unprotect the header field. Bizzare I know but it works...

Enjoy,
Chris
Robert
Posts: 2
Comment
Re: What if we only want one site to handle ssl requests
Reply #7 on : Fri April 23, 2010, 20:53:46
Hi Scott,

I'm not aware of an easy way to do that other than moving the other sites to a different IP address. Because SSL maps to an IP address, it will always go to the site with the certificate no matter what name you use. You might be able to detect the name they are using and redirect somehow.
Scott Monaghan
Posts: 9
Comment
What if we only want one site to handle ssl requests
Reply #6 on : Fri April 23, 2010, 13:48:43
I'm currently hosting several sites on a shared server, and one site has an SSL certificate.

The problem is when someone tries to access another site on my server with https://, it redirects to the SSL site since all incoming traffic over 443 is handled by that one website.

What I'd like to do is set up my server so it only accepts requests to 443 using the www.sslsite.com domain.

I was trying to use appcmd to accomplish this but I've had no luck. I'm able to create a binding, but as soon as I add the certificate in IIS it clears out the host name.

Any ideas?
Robert
Posts: 2
Comment
Re: great, but...
Reply #5 on : Thu January 28, 2010, 07:39:11
Hi Michael,

IIS doesn't allow you to add a hostname when setting up the binding for port 443. You just need to have a binding for port 80 with the appropriate hostname and then run the appcmd with that same hostname. You only bind the certificate to port 443 on one of the sites. The rest are bound using the appcmd.
michael
Posts: 9
Comment
great, but... (2)
Reply #4 on : Thu January 28, 2010, 05:26:51
Sorry. I can only add a host header with appcmd from the command line, not in the server manager. This field is always grayed out.

Michael
michael
Posts: 9
Comment
great, but...
Reply #3 on : Thu January 28, 2010, 05:22:04
After installing the certificate for one specific web site (say www.domain1.xy), I can access it via https. But when I call any other site (say www.domain2.xy) via https, I get redirected to the one site with the certificate.

When I edit the binding in the server manager, I can either add a host header or choose a certificate, but when I choose a certificate, the host header ist gone and the field is grayed out.

Any way to use a certificate for a web site AND a host header? Do I need a special kind of certificate for that? (I just created one for testing purposes).

Best wishes
Michael

Thanks
Michael
spills
Posts: 9
Comment
Awesome
Reply #2 on : Fri January 22, 2010, 10:21:39
You would think iis-7 would allow you set this up via management UI -- oh well. Your article saved me a whole lot of hassle -- thanks.
dossin
Posts: 9
Comment
Re: SSL Host Headers in IIS 7
Reply #1 on : Wed December 16, 2009, 23:01:24
you rock great tutorial!

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment