Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How configure SSL for an IIS Express site that uses multiple hostnames?

My web application project encompasses multiple web sites served under the umbrella of a single IIS Express site. I succeeded in following Scott Hanselman's excellent blog post, and IIS Express successfully serves both http://foo.local and http://bar.local from the same web application root directory.

However, I need both sites to support SSL. Following Hanselman's advice, I can create an SSL certificate and "attach" it to a single IP-port combination.

makecert -r -pe -n "CN=foo.local" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
netsh http add sslcert ipport=0.0.0.0:443 appid='{214124cd-d05b-4309-9af9-9caa44b2b74b}' certhash=284475d4a4eb5c4d3ab7da4fdefa928186482376

That succeeds, but I am unable to repeat the process for the second site. Evidently only one SSL certificate can be applied to a single IP-port combination.

How can I make an SSL certificate that covers both https://foo.local and https://bar.local, or otherwise "attach" one for each site?

like image 709
Bryan Avatar asked Jul 29 '14 22:07

Bryan


People also ask

Can we install multiple SSL certificates IIS?

From a single IP address and port, you can use multiple SSL certificates to secure various websites on a single domain (e.g., www.yourdomain.com, site2.yourdomain.com) or across multiple domains (e.g., www.domain1.com, www.domain2.com).

How do you create self-signed SSL in IIS?

In IIS Manager, do the following to create a self-signed certificate: In the Connections pane, select your server in the tree view and double-click Server Certificates. In the Actions pane, click Create Self-Signed Certificate. Enter a user-friendly name for the new certificate and click OK.


2 Answers

jww's answer led me in the right direction. Beyond Hanselman's instructions, here's what I had to do.

First of all, I enabled SNI on my site bindings in IIS Express' applicationhosts.config. This just meant appending the sslFlags attribute:

<binding protocol="https" bindingInformation="*:443:foo.local" sslFlags="1" />
<binding protocol="https" bindingInformation="*:443:bar.local" sslFlags="1" />

(credit: Configure SNI On IIS8?)

Then instead of using makecert, I created a self-signed certificate using PowerShell's New-SelfSignedCertificate cmdlet:

New-SelfSignedCertificate -DnsName foo.local, bar.local -CertStoreLocation cert:\LocalMachine\My

(credit: How to create a Self-Signed SAN Certificate in Windows 8)

Beside that, I followed Hanselman's instructions to use netsh http add sslcert... to "register" the certificate for the IP-port, and to use the MMC "Certificates" snap-in to make it trusted.

like image 173
Bryan Avatar answered Oct 17 '22 06:10

Bryan


Evidently only one SSL certificate can be applied to a single IP-port combination...

You need IIS 8 or above to use multiple certificates. IIS 8 support Server Name Indication (SNI). See Server Name Indication (SNI) with IIS 8 (Windows Server 2012).


How can I make an SSL certificate that covers both https://foo.local and https://bar.local ...

Create one certificate. In the certificate, place both names in the Subject Alternate Name (SAN). Place a friendly name in the CN.

The CN should be a friendly name because:

  1. The IETF deprecated placing a DNS name in the CN
  2. The CA/Browser Forums deprecated placing a DNS name in the CN
  3. CN's are often displayed to users, so they should be friendly

... or otherwise "attach" one for each site?

Upgrade to IIS 8 or Server 2012.


Following Hanselman's advice... makecert -r -pe -n "CN=foo.local"

His advice is wrong here.

like image 39
jww Avatar answered Oct 17 '22 07:10

jww