SSL Host Headers in IIS 7

SSL Host Headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site on each IP address to port 443 using an SSL certificate. If you try to bind a second site on the IP address to the same certificate, IIS 7 will give you an error when starting the site up stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers by following the instructions below.

What Type of SSL Certificate Do You Need?

Because you can only use one certificate, that certificate needs to work with all the hostnames of the websites that you use it with (otherwise you will receive a name mismatch error). For example, if each of your IIS 7 websites uses a subdomain of a single common domain name (like in the example below), you can get a Wildcard Certificate for *.mydomain.com and it will secure site1.mydomain.com, site2.mydomain.com, etc.

If, on the other hand, your IIS 7 sites all use different domain names (mail.mydomain1.com, mail.mydomain2.com, etc.), you will need to get a Unified Communications Certificate (also called a SAN certificate).

Setting up SSL Host Headers on IIS 7

  1. Obtain an SSL certificate and install it into IIS 7. For step-by-step instructions on how to do this, see Installing an SSL Certificate in Windows Server 2008 (IIS 7.0).

    Install SSL Certificate into IIS 7
  2. Once the certificate is installed into IIS, bind it to the first site on the IP address.

    Bind the SSL Certificate to the first site on the IP address
  3. Open the command prompt by clicking the start menu and typing “cmd” and hitting enter.
  4. Navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.
  5. In the Inetsrv folder, run the following command for each of the other websites on the IP address that need to use the certificate (copy both lines):

    appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']

    Replace <IISSiteName>  with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)

    Run AppCmd to bind the other sites to port 443 using the same certificate
  6. Test each website in a browser. It should bring up the correct page and show the lock icon without any errors. If it brings up the web page of the first IIS site, then SSL Host Headers haven’t been set up correctly.

If you need to set up multiple site to use a single SSL certificate on IIS 6 or Apache, see How To Configure SSL Host Headers in IIS 6. For more information about SSL Host Headers in IIS 7 see IIS 7.0: Add a Binding to a Site and SSL certificates on Sites with Host Headers.

Originally posted on Thu Feb 26, 2009

Comments (37)

  1. VoxVote:
    Feb 26, 2014 at 08:31 AM

    When reading above comments, I thought, peace of cake, and yes, after some sweat and struggle, everything set up as needed. Why was my not click and go: (this might help others as well) - First of all the wildcard * in bindingInformation='*:443:sub1.yourdomain.com'] I had to change this to my dedicated / fixed IP. Created on first site, and on other sub sites. - Also, the biggest problem was: The wrong certificate was automatically assigned. After removing the server certificate and installing it again, everything worked like a charm. Thanks! Vincent van Witteloostuyn VoxVote The Netherlands

  2. Jace:
    Feb 02, 2014 at 08:30 AM

    Hi, 2 sites in 1 IP (www.test.com & try.xxx.com) A single SSL was already installed for www.test.com, now we want to install another SSL for try.xxx.com. would this be possible? Sorry really new with IIS, btw we are using IIS 7. Please help! Thanks in advanceā€¦

  3. Emrah:
    Dec 27, 2013 at 06:03 AM

    With lots of thanks from Istanbul, Turkey. I spent almost one day for this issue. And now, everything is ok. My www site and subdomain site are both working on the same SSL certificates that I installed IIS

  4. Arnold:
    Jul 24, 2013 at 11:05 AM

    yes you should receive a statue and a medal

  5. Nate:
    Jan 16, 2013 at 03:17 PM

    Is it possible to just Delete the Site and then add it back in to remove the SSL binding from it? Or will this also affect other sites using the same SSL Wildcard Certificate?

  6. Jeff:
    Dec 12, 2012 at 01:15 PM

    Savas, try this: Delete all bindings. Follow step 2 above using a placeholder domain. The placeholder domain should have one file: default.asp/default.aspx with a warning like "this site is off". Then follow step 3 for all the sites that have SSLs. Then https://Nosslinstalledsite.com and others will redirect to your placeholder domain with the warning. Or you can code the default doc to read the SERVER_NAME variable and redirect to the non-SSL version of whatever site they requested.

  7. Luis Perez:
    Sep 20, 2012 at 11:03 AM

    I had to assign host names to SSL sites so often that I ended up creating a UI for it. It looks and feels just like the IIS UI except that it allows you to assign host names to SSL sites. You can find it on my blog at simplygoodcode.com Great article, thanks!

  8. Dbo:
    Sep 03, 2012 at 09:05 AM

    Answer to Savas issue: blocking SSL... Look into URL Rewrite extension download from Microsoft for IIS.

  9. Mathias:
    Aug 28, 2012 at 11:54 PM

    Hi, I have 2 domains (www.domain1.com, www.domain2.com). For both I have a separate certificate. Both domains have the same IP, but a different hostheader. How can I add https with cert1 to domain1 and https with cert2 to domain2 (on the same IP)? Is it possible? regards Mathias

  10. frederic:
    Jul 19, 2012 at 07:55 AM

    If you want to remove binding for a site using your wildcard SSL certificate, the only method we found that does not destroy all iis configuration, is to open the applicationHost.config file using notepad, and remove the 443 binding line manually. If you use the iis console, or any script method (that calls the DLL used by the console), you will lose ALL your wildcard https bindings links. Binding will still be there but they are not working.

  11. Doug:
    Jun 14, 2012 at 02:45 PM

    if the websites are load balanced you can create them to use different ports. But you'll need to configure the networking correctly. Then you can install the certs for each site without other issues.

  12. Matthieu:
    May 03, 2012 at 09:24 AM

    Really great post, very helpful! One question though: why don't you specify a host header through the UI when you setup the first site? This would avoid the problem that Savas reports, ie. having non-ssl sites redirected to the first ssl site, don't you think?

  13. fuad:
    Apr 12, 2012 at 11:20 AM

    The correct command for IIS7 is: appcmd set site /site.name:"my site"/+bindings.[protocol='https',bindingInformation='*:443:my.site.com']

  14. Robert:
    Mar 02, 2012 at 08:11 AM

    Hi Savas, Until SNI is fully supported, there is no way to stop that from happening. The best you could do it add some custom code to the SSL site that checks what URL was typed in and redirects to the right URL.

  15. Savas:
    Feb 29, 2012 at 11:30 PM

    I have several sites hosted on the server, all sharing the same ip address. And have only one SSL sertificate installed for one site. My problem is: The site that has ssl installed is: sslinstalledsite.com so https://sslinstalledsite.com shows up correctly. but if anyone types https://NOsslinstalledsite.com, the browser opens up https://Nosslinstalledsite.com, but shows the content of sslinstalledsite.com Is there a way to stop this?

  1. 1
  2. 2
  3. 3




Allowed tags: <b><i><br>Add a new comment: