Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure web role - Multiple ssl certs pointing to a single endpoint

Is there a way I can have multiple ssl certificates point to a single inputendpoint in a service definition? For example, lets say I have two url's.

service.foo.net/Service.svc

service.doo.net/Service.svc

I want both of these addresses to resolve to my windows azure service, but I'm not sure how to configure this in the service definition.

<Certificates>
   <Certificate name="service.foo.net" storeLocation="LocalMachine" storeName="My" />
   <Certificate name="service.doo.net" storeLocation="LocalMachine" storeName="My" />
  </Certificates>
  <Endpoints>
   <InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="service.foo.net" />
  </Endpoints>

According to this MSDN article, each input endpoint must have a unique port. Is there any way to specify more than once certificate for this endpoint?

like image 610
Brosto Avatar asked Dec 16 '10 13:12

Brosto


People also ask

Can you have multiple SSL certificates for one domain?

You can install multiple SSL certificates on a domain, but first a word of caution. A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.

How do multi domain SSL certificates work?

A multi domain SSL certificate is a single certificate that covers multiple domains on a single IP. When it comes to the strength of encryption, a SAN or a UCC multi domain certificate uses the same encryption standards as the rest of the solutions offered by any trusted third-party certificate authority (CA).

Can you have multiple wildcard SSL certificates?

A multi-domain wildcard SSL certificate can also be used as a multi-level wildcard. Multi-domain wildcards use wildcard SANs, you can include an asterisk in them. So, using a multi-domain wildcard enables you to secure all the sites we listed above with just a few wildcard SANs — all on the same SSL certificate.


2 Answers

Unfortunately this is not possible. Azure is re-exposing an SSL limitation. The SSL limitation is interesting, and the reason you can't use v-hosts over SSL. Lets walk through an example:

  1. You connect to https://ig2600.blogspot.com
  2. That resolves to some ip address - say 8.8.8.8
  3. Your browser now connects to 8.8.8.8
  4. 8.8.8.8 must preset a certificate before your browser will send any data
  5. the browser verifies the ceritificate presented is for ig2600.blogspot.com
  6. You send the http request, which contains your domain name.

Since the server needs to present a certificate before you tell it the host name you want to talk to, the server can't know which certificate to use if multiple are present, thus you can only have a single cert.

like image 178
Igor Dvorkin Avatar answered Sep 18 '22 16:09

Igor Dvorkin


"Oliver Bock"'s answer may work for you and "Igor Dvorkin"'s answer is not valid anymore since IIS 8 with Windows Server 2012 supports SNI, which enables you to add a "hostheader" to HTTPS bindings and having multiple SSL certificates to different domains listening to the same HTTPS port.

You need to automate the process of installing the certificates on the machine and add HTTPS bindings to IIS.

I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

like image 22
Vitor Ciaramella Avatar answered Sep 20 '22 16:09

Vitor Ciaramella