IIS10 SSL Configuration for Multiple Sites and more than one SSL Cert

Question

I have one scenario where I am working on the IIS Website Configurations for URL Routing. I have added the website and Import the required Certificates on the server.

My scenario is (I have multiple website URLs and two SSL Certs - as below):

qatest1.abc.com

qatest2.abc.com

qatest3.abc.com

Above 3 URLs need to be configured on one SSL Certificate - which is QA Certificate.

Another URL is:

perftest.abc.com

And for this URL there is a separate certificate as PERF (performance) certificate.

This is how the Task is given to me to configure the IIS Settings on MS IIS 10.

Now the Issues which I am facing is:

1. Not able to configure all the URLs configuration on the same IIS, as per the task given to me I am supposed to configure them all on the same IIS.
2. Getting a strange message (image attached) and it won't allow me to configure all my above website URLs on the same machine, on the same IIS.
   
   
   
   
3. Also trying to read about SNI (But Not sure about how to make use of SNI in this case).
   
   

Need help from IIS Experts who can support me on this activity to complete.

Answer 1

you could check the Server Name Identification by using this you can avoid the certificate prompt.

This feature offers an easier solution to hosting multiple sites that have a different or individual SSL on a single IP address.

Each HTTPS binding requires a unique IP/port combination because the Host Header cannot be used to differentiate sites using SSL.This is because the host header is not visible during the SSL handshake.

Server Name Indication (SNI) allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.

Answer 2

#1 - its possible via CLI commands (appcmd & netsh) or scripting (PowerShell) and programming (c#) but not with the IIS Manager GUI afaik.

#2 - (see #1). IIS Manager is stupid and will overwrite existing bindings with the last certificate selected. You end up with bindings attached to the wrong certificate if you click Yes. This is a limitation of IIS Manager GUI not IIS.

#3 - You want SNI turned on. It means you can have multiple certificates associated with the same IP address. Without SNI you would need 1 IP address per certificate

These 2 links will give you an idea how to use appcmd and netsh - this is the quickest/easiest way to create your desired configuration.

1. Adding a HTTPS binding to a site
2. Binding a certificate with netsh

If you know PowerShell("POSH") you can use the IISAdministration PowerShell cmdlet New-IISSiteBinding to create bindings and associate with a certificates thumbprint (though netsh is still useful for debugging and fixing issues).

Either approach your really configuring 2 things - IIS' bindings and Windows/SChannel/HTTPS.sys (the operating system component actually responsible for the 'S' in 'HTTPS'). Sometimes they get out of sync and the easiest fix is to delete and re-create the bindings (after clicking yes to "At least one other site is using the same HTTPS binding..." for example).

Few tips:

• Once you start using this configuration IIS Manager or Windows Update/software installs will probably break your bindings at some point. Write a script that can remove and re-create all your bindings for port 443(only!) so you can easily fix future issues.
• If you use netsh - its very fussy about the syntax. Order and spacing of parameters are important when using command netsh http add sslcert.
• While your testing netsh http show sslcert and netsh http delete sslcert are very useful to try different configurations (this wont delete the cert, just the binding)
• Cert needs to be in the Machine certificate store and make a note of the path. When using POSH or netsh always specify both certificate thumbprint and the store\path where the cert was installed.
• If you need a default HTTPS binding on the IIS Site (eg load balancer healthchecks etc) add it before any named HTTPS bindings.

Final aside - if your domains are all 1 level under abc.com getting a wildcard certificate would save you a lot of bother. a single *.abc.com certificate would cover all your domains and you can avoid this limitation entirely.

Good luck!