Multiple SSL certificates in one azure deployment

Question

I have a problem similar to (but not the same) as this:
Azure web role - Multiple ssl certs pointing to a single endpoint

My azure package contains multiple sites. Some of these sites are on domain abc and others are on domain def. I need to secure both domains with SSL but can't figure out how (if it's possible) to do this.

Here's an example of my config:

<Sites>
    <Site name="sub1.abc" physicalDirectory="***">
        <Bindings>
            <Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.abc.com" />
            <Binding name="HttpsInABC" endpointName="HttpsInABC" hostHeader="sub1.abc.com" />
        </Bindings>
    </Site>
    <Site name="sub1.def" physicalDirectory="***">
        <Bindings>
            <Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.def.com" />
            <Binding name="HttpsInDEF" endpointName="HttpsInDEF" hostHeader="sub1.def.com" />
        </Bindings>
    </Site>
</Sites>
<Endpoints>
    <InputEndpoint name="HttpIn" protocol="http" port="80" />
    <InputEndpoint name="HttpsInABC" protocol="https" port="443" certificate="abc" />
    <InputEndpoint name="HttpsInDEF" protocol="https" port="443" certificate="def" />
</Endpoints>
<Certificates>
    <Certificate name="abc" storeLocation="LocalMachine" storeName="My" />
    <Certificate name="def" storeLocation="LocalMachine" storeName="My" />
</Certificates>

This configuration gives me the following error:

The same local port '443' is assigned to endpoints HttpsInABC and HttpsInDEF in role ***.

Any suggestions on how I can work around this without having to host them separately?

Based on @JoelDSouza's answer:

Will using different ports work for you

What are the implications of SSL on ports 444/445/446 etc. in Windows Azure?

Answer 1

You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.

IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.

I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

Answer 2

I fear you are out of luck - as noted in the article you linked to, one SSL certificate per server IP. I guess by hosting them separately (that feels odd to say considering it's cloud based) you will get two IPs and therefore can add an SSL certificate to each IP address.

You could perhaps move everything to one domain and use folders within that domain to host the separate sites - that's the only way you will be able to secure everything with your SSL certificate without having two hosting packages: ie instead of:

www.domain1.com and www.domain2.com use www.mydomain.com/domain1/ and www.mydomain.com/domain2/