Add additional certificate bindings to default website

This topic contains 2 replies, has 2 voices, and was last updated by  JAYSON BENNETT 6 days, 17 hours ago.

  • Author
    Posts
  • #87071

    JAYSON BENNETT
    Participant

    I have a bunch of websites that are running on Server 2012R2 in the context of the default website with different host headers, and unique certificates. I need to add a net new site and bind a net new certificate on port 443 for that specific site, while maintaining the bindings for the other sites using 443. I'm trying to use PowerShell with the WebAdministration module to run

    New-Item -Path "IIS:\SslBindings\*!443!secure.site.com" -Thumbprint "certthumbprint" 

    . I'm getting the following warning and error though. WARNING: Binding host name 'secure.site.com' is not equals to certificate subject name 'CN=secure.site.com, OU=Domain Control Validated'. Client may not be able to connect to the site using HTTPS protocol. Cannot create a file when that file already exists
    + CategoryInfo : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

    Should I be trying to add the new binding as 0.0.0.0!443!secure.site.com, or is there a way to update the 443 binding to be able to add the new site/certificate thumbprint combo?

  • #87208

    postanote
    Participant

    You are restricted to one server certificate per endpoint (ip-port combination) since the server needs to use a particular server certificate for all connections to that endpoint (there are some rfcs about how the client can tell the server which certificate to choose but that is not implemented in iis7) – if a site is bound to multiple end-points, you can have multiple server certificate, one per endpoint.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
    'forums.iis.net/t/1031240.aspx?Multiple+SSL+Certificates+on+a+Web+Site+in+IIS7'

    But what are you not using a Wildcard cert (one cert for your entire domain and thus all host header sites) for this effort vs what sounds like you are trying to use individual certs?

    Well, outside of the expense of wild card certs.

    You could also just add SAN's to the cert for additional sites, but if you are adding an removing sites, updating that cert will become a management pain point. Well, you could use PoSH to replace it as well as it is updated.

    Just curious.

    Anyway, you could also still use appcmd.exe or manually update the ApplicationHost.config file.

    In IIS8 W2K12, SNI is supported.
    Example use case: 'digicert.com/ssl-support/ssl-host-headers-iis-8.htm'

    • #87535

      JAYSON BENNETT
      Participant

      Unfortunately, these are all discreet sites that can't be managed using a wildcard or a SAN certificate.

      In your digicert.com/ssl-support/ssl-host-headers-iis-8.htm example, that is exactly what I am doing manually. I am editing the bindings to add the certificated for new sites that are created. I was hoping to see if there was a way to automate that in IIS8. So, we do have the host headers created. I just can't figure out how to get the certificate bound outside of the IIS GUI.

You must be logged in to reply to this topic.