December 6, 2017 at 6:00 pm #87071
I have a bunch of websites that are running on Server 2012R2 in the context of the default website with different host headers, and unique certificates. I need to add a net new site and bind a net new certificate on port 443 for that specific site, while maintaining the bindings for the other sites using 443. I'm trying to use PowerShell with the WebAdministration module to run
New-Item -Path "IIS:\SslBindings\*!443!secure.site.com" -Thumbprint "certthumbprint"
. I'm getting the following warning and error though. WARNING: Binding host name 'secure.site.com' is not equals to certificate subject name 'CN=secure.site.com, OU=Domain Control Validated'. Client may not be able to connect to the site using HTTPS protocol. Cannot create a file when that file already exists
+ CategoryInfo : NotSpecified: (:) [New-Item], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
Should I be trying to add the new binding as 0.0.0.0!443!secure.site.com, or is there a way to update the 443 binding to be able to add the new site/certificate thumbprint combo?
December 6, 2017 at 11:48 pm #87208
You are restricted to one server certificate per endpoint (ip-port combination) since the server needs to use a particular server certificate for all connections to that endpoint (there are some rfcs about how the client can tell the server which certificate to choose but that is not implemented in iis7) – if a site is bound to multiple end-points, you can have multiple server certificate, one per endpoint.
Software Design Engineer
IIS Core Server
But what are you not using a Wildcard cert (one cert for your entire domain and thus all host header sites) for this effort vs what sounds like you are trying to use individual certs?
Well, outside of the expense of wild card certs.
You could also just add SAN's to the cert for additional sites, but if you are adding an removing sites, updating that cert will become a management pain point. Well, you could use PoSH to replace it as well as it is updated.
Anyway, you could also still use appcmd.exe or manually update the ApplicationHost.config file.
In IIS8 W2K12, SNI is supported.
Example use case: 'digicert.com/ssl-support/ssl-host-headers-iis-8.htm'
December 7, 2017 at 4:38 pm #87535
Unfortunately, these are all discreet sites that can't be managed using a wildcard or a SAN certificate.
In your digicert.com/ssl-support/ssl-host-headers-iis-8.htm example, that is exactly what I am doing manually. I am editing the bindings to add the certificated for new sites that are created. I was hoping to see if there was a way to automate that in IIS8. So, we do have the host headers created. I just can't figure out how to get the certificate bound outside of the IIS GUI.
You must be logged in to reply to this topic.