Add additional certificate bindings to default website

Welcome Forums General PowerShell Q&A Add additional certificate bindings to default website

This topic contains 2 replies, has 2 voices, and was last updated by

1 year, 5 months ago.

  • Author
  • #87071

    Topics: 1
    Replies: 1
    Points: 22
    Rank: Member

    I have a bunch of websites that are running on Server 2012R2 in the context of the default website with different host headers, and unique certificates. I need to add a net new site and bind a net new certificate on port 443 for that specific site, while maintaining the bindings for the other sites using 443. I'm trying to use PowerShell with the WebAdministration module to run

    New-Item -Path "IIS:\SslBindings\*!443!" -Thumbprint "certthumbprint" 

    . I'm getting the following warning and error though. WARNING: Binding host name '' is not equals to certificate subject name ', OU=Domain Control Validated'. Client may not be able to connect to the site using HTTPS protocol. Cannot create a file when that file already exists
    + CategoryInfo : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

    Should I be trying to add the new binding as!443!, or is there a way to update the 443 binding to be able to add the new site/certificate thumbprint combo?

  • #87208

    Topics: 2
    Replies: 919
    Points: 1,551
    Helping Hand
    Rank: Community Hero

    You are restricted to one server certificate per endpoint (ip-port combination) since the server needs to use a particular server certificate for all connections to that endpoint (there are some rfcs about how the client can tell the server which certificate to choose but that is not implemented in iis7) – if a site is bound to multiple end-points, you can have multiple server certificate, one per endpoint.

    Anil Ruia
    Software Design Engineer
    IIS Core Server

    But what are you not using a Wildcard cert (one cert for your entire domain and thus all host header sites) for this effort vs what sounds like you are trying to use individual certs?

    Well, outside of the expense of wild card certs.

    You could also just add SAN's to the cert for additional sites, but if you are adding an removing sites, updating that cert will become a management pain point. Well, you could use PoSH to replace it as well as it is updated.

    Just curious.

    Anyway, you could also still use appcmd.exe or manually update the ApplicationHost.config file.

    In IIS8 W2K12, SNI is supported.
    Example use case: ''

    • #87535

      Topics: 1
      Replies: 1
      Points: 22
      Rank: Member

      Unfortunately, these are all discreet sites that can't be managed using a wildcard or a SAN certificate.

      In your example, that is exactly what I am doing manually. I am editing the bindings to add the certificated for new sites that are created. I was hoping to see if there was a way to automate that in IIS8. So, we do have the host headers created. I just can't figure out how to get the certificate bound outside of the IIS GUI.

The topic ‘Add additional certificate bindings to default website’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort