SNI with wildcard certificate on IIS 8.5

Question

I have a set of sites on IIS 8.5 that all use a wilcard cert(*.myhost.com), let's say:

api.myhost.com
data.myhost.com
...

Now I want to add a new name to this sites, so I get a new certificate (*.newhost.com) and added new sites on IIS:

api.newhost.com
data.newhost.com
...

and enabled Require Server Name Indication in IIS for this new sites, but my problem is IIS keep sending old certificate for my new sites, what I'm doing wrong and why IIS never send SNI extension in its Server Hello response?

Answer 1

It is necessary that all sites that use ssl have SNI enabled. If there is only one site with the wildcard certificate that has SNI NOT enabled, this will cause all other certificates not to work with SNI. The easiest way to find out if a site has SNI not enabled, is a lookup in the file "ApplicationHost.config" (located in windir/system32/inetsrv/config). In the sites-section all bindings are listed and should have an sslFlags-Attributes of "1". No site may have an attribute of: sslFlags="0". After identifying the sites with the "0" flag, you can then activate the SNI flag for these sites in IIS management console.

Answer 2

For the non-SNI sites, make sure the bindings are set to "All unassigned" rather than a specific IP address (otherwise they will get in the way of the SNI sites).

Answer 3

Probably the old sites/bindings don't have SNI enabled.

Check your *.myhost.com bindings for each site and enable SNI.

If SNI is disabled there, the IP and port number combination is claimed by the old certificates.

Otherwise, provide more info by executing this command:

netsh http show sslcert

This will list all the bindings

some more background info: https://blogs.msdn.microsoft.com/kaushal/2012/09/04/server-name-indication-sni-with-iis-8-windows-server-2012/

UPDATE: Check the connection, download OpenSSL and use the OpenSSL Client to create debug info with a command like this:

openssl s_client -state -debug -connect www.xyz.com:443