919 - 926 - 9847

Using IIS 6 and SSL host headers

Just because I wanted to have this documented for myself, let's setup SSL on IIS 6 so that it uses * Certs. This is only required if using host headers.

To obtain a wildcard server certificate

  1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.
  2. Right-click the Web site for which you want to obtain a wildcard server certificate, and then click Properties.
  3. On the Directory Security tab, under Secure communications, click Server Certificate.
  4. In the Web Server Certificate Wizard, click Create a new certificate.
  5. Follow the Web Server Certificate Wizard, which will guide you through the process of requesting a new server certificate. On the Your Site's Common Name page, type a name in the Common name box, using the following format:
    for example, *.somesite.com.
    By default, the certificate request file is saved as C:\Certreq.txt, but the wizard allows you to specify a different location.
  6. Click Finish to complete the wizard.
  7. Submit the cert to your signing authority (read == Money).

To create the metabase bindings

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type the following command at the command prompt (the .vbs is in inetpub\adminscritps):
    cscript.exe adsutil.vbs set /w3svc//SecureBindings ":443:" where host header is the host header for the Web site, for example, test.somesite.com and site identifier corresponds to the number shown in the IIS admin.
  3. You can set up as many bindings as required, if recollection serves, it's delimited by colons. So, it would be ":443:{host header1}:443:{host header n}"

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Josen Ruiseco's Gravatar Does this mean you can actually setup multiple SSL certificates (wildcard or non-wildcard) on a server running host headers where you have multiple websites sharing a single IP address?

If that is the case, this is somewhat of a Holy Grail in terms of the capability of Windows. In the past it has always been One IP per One SSL Certificate.

# Posted By Josen Ruiseco | 2/27/07 5:41 PM
Matthew Williams's Gravatar We combined 4 servers down to 2, which required combining two domains. The only reason this worked is they are both subdomains. And even then, the only reason we had to do this at all is our servers need to listen on all IPs due to our limited capabilities of our load balancer. Each node cannot have more than 1 IP in the balancers eyes... which is really shortsighted.

So, the easiest solution (well, most practical) was to just use a wildcard cert and manually assign it into the metabase. The other pain wildcard certs cannot be exported. Each machine in the cluster had to generate its own cert.
# Posted By Matthew Williams | 2/27/07 7:23 PM
Coliin's Gravatar i've always meant to try such a thing but never gotten around to it, one thing that stopped me was the belief that only tls clients would enjoy the benefit and ssl users would get the same site every time (and which one?). what's the compatability verdict on the setup?
I actually support a server that has a wildcard certificate with a wildcard dns and the application sorts out which 'site' you meant based on the domain name, accomplishes the same thing sort of. It makes clustering all but impossible though.
# Posted By Coliin | 2/27/07 7:48 PM