My web application project encompasses multiple web sites served under the umbrella of a single IIS Express site. I succeeded in following Scott Hanselman's excellent blog post, and IIS Express successfully serves both http://foo.local and http://bar.local from the same web application root directory.
However, I need both sites to support SSL. Following Hanselman's advice, I can create an SSL certificate and "attach" it to a single IP-port combination.
makecert -r -pe -n "CN=foo.local" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
netsh http add sslcert ipport=0.0.0.0:443 appid='{214124cd-d05b-4309-9af9-9caa44b2b74b}' certhash=284475d4a4eb5c4d3ab7da4fdefa928186482376
That succeeds, but I am unable to repeat the process for the second site. Evidently only one SSL certificate can be applied to a single IP-port combination.
How can I make an SSL certificate that covers both https://foo.local and https://bar.local, or otherwise "attach" one for each site?
From a single IP address and port, you can use multiple SSL certificates to secure various websites on a single domain (e.g., www.yourdomain.com, site2.yourdomain.com) or across multiple domains (e.g., www.domain1.com, www.domain2.com).
In IIS Manager, do the following to create a self-signed certificate: In the Connections pane, select your server in the tree view and double-click Server Certificates. In the Actions pane, click Create Self-Signed Certificate. Enter a user-friendly name for the new certificate and click OK.
jww's answer led me in the right direction. Beyond Hanselman's instructions, here's what I had to do.
First of all, I enabled SNI on my site bindings in IIS Express' applicationhosts.config. This just meant appending the sslFlags
attribute:
<binding protocol="https" bindingInformation="*:443:foo.local" sslFlags="1" />
<binding protocol="https" bindingInformation="*:443:bar.local" sslFlags="1" />
(credit: Configure SNI On IIS8?)
Then instead of using makecert
, I created a self-signed certificate using PowerShell's New-SelfSignedCertificate
cmdlet:
New-SelfSignedCertificate -DnsName foo.local, bar.local -CertStoreLocation cert:\LocalMachine\My
(credit: How to create a Self-Signed SAN Certificate in Windows 8)
Beside that, I followed Hanselman's instructions to use netsh http add sslcert...
to "register" the certificate for the IP-port, and to use the MMC "Certificates" snap-in to make it trusted.
Evidently only one SSL certificate can be applied to a single IP-port combination...
You need IIS 8 or above to use multiple certificates. IIS 8 support Server Name Indication (SNI). See Server Name Indication (SNI) with IIS 8 (Windows Server 2012).
How can I make an SSL certificate that covers both
https://foo.local
andhttps://bar.local
...
Create one certificate. In the certificate, place both names in the Subject Alternate Name (SAN). Place a friendly name in the CN.
The CN should be a friendly name because:
... or otherwise "attach" one for each site?
Upgrade to IIS 8 or Server 2012.
Following Hanselman's advice...
makecert -r -pe -n "CN=foo.local"
His advice is wrong here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With