IIS 7 and Above
SSL certificate questions
Last post Dec 09, 2017 02:19 AM by lextm
Dec 04, 2017 03:12 PM|rlynch106|LINK
Sorry, but I have almost no experience with SSL certificates and how to implement them.
I have an IIS 8.5 server running on our intranet. We'll call it MYIISSERVER.
Under MYIISSERVER, I have several sites:
Site1 - currently to access this site we use the address http://MYIISSERVER/Site1:8003
Site2 - currently to access this site we use the address http://MYIISSERVER/Site2:8004
Site3 - currently to access this site we use the address http://MYIISSERVER/Site3:8005
Site4 - currently to access this site we use the address http://MYIISSERVER/Site4:8006
I now have to make all of these sites use SSL with the default HTTPS port of 443.
I have read about Server Name Indication(SNI) on IIS 8 and above. From what I understand, this is similar to using host header names on an unsecured site that uses port 80.
What is the best route to take on doing this? Do I get an individual certificate for each site? Do I get a SAN certificate to include all of the sites (if this is even possible for this scenario)?
Dec 05, 2017 02:57 AM|lextm|LINK
There are tons of step by step guides over the internet,
Dec 05, 2017 07:25 AM|Yuk Ding|LINK
First of all, you need to import the certificate to IIS manager->server node->server certificate and MMC . Then You only need to create https binding all with 443 port. Just remember to set IP/host name and certificate for your site. Third step is go to
IIS manager->site level-> SSL settings->enable and set client certificate to ignore.
Of course, for multiple certificate in the same IIS server, you may need to enable the server name indication when you create the binding host header. Then it is available to use multiple certificates for the same 443 port.
Do I get an individual certificate for each site?
If your different sites only use the subdomain from the same domain name like *.domain.com. you could only apply a wildcard certificate for all these site. However, if you need to use different domains, please apply individual certificate for each site especially
the sites are owned by different owners. Also if all the website is only owned by yourself, the SAN certificate to include all domain could be available.
Dec 05, 2017 11:39 AM|rlynch106|LINK
Thank you for the information.
I am still confused on which type of certificate I need to use. Since the sites are all on the same server, would a SAN certificate be best, or wildcard, or should I have one certificate for each site? All addresses are pointing to the same server, and this
is how it will be after applying the SSL. All sites are and will be hosted on the same server. That brings me to another question: What do I use for the host name in the bindings? Would it be like Site1.MYIISSERVER?
This is on an intranet. I can ping the server these sites run on by using the FQDN of the server. This FQDN is the same as the host name, correct? Currently, there are 5 sites running under this host name using different ports. So when someone on our intranet
wants to access one of these web apps, they type http://FQDN:<port#>. I now have to make all of these sites use SSL for a secure connection.
What do I use for the host name when setting up the SSL binding?
Do I have to have each site registered with DNS?
Dec 05, 2017 04:46 PM|lextm|LINK
would a SAN certificate be best, or wildcard
Check the price of such and you might find it cheaper and more efficient to use multiple certificates. Browsers like Chrome might not show "full trust" on wildcard either, if you launch CodePlex.com sub sites. So although SAN/wildcard might sound like a
feasible way, practically most uses SNI (and that's why it was proposed and became a new standard).
Dec 06, 2017 01:30 AM|Rovastar|LINK
To be honest it is difficult to answer you question fully without knowing what the domain you need are and how you might expand in the future.
wildcards (and SAN) are used for <any_subdomain_name>.mysite.com
If you have many different subdomains for the same domain then this might be for you.
site 1) is a site with multiple domains you can hit it on buyproduct.mysite.com , buystuffnow.mysite.com, buy.mysite.com, shop.mysite.com
site 2) is www.mysite.com, mysite.com,
site 3) media.mysite.com
etc and you envisage many more sites under that domain in the future then a wildcard could be for you.
if you only have 4 sites any they are all different domains then separate certs are likely the way forward.
I personally don't like SANs or use them much manly because I don't have a lot of domains and the ones I have change there are always new ones.
For a SAN it is best if you have a set amount of domains and it does not change. You can get them reissued with new ones added but the additional admin/headache/potential for an issue I think is too great if you keep changing it and reapplying them to each
site. but if you have mysite.com, mysite.co.uk, mysite.de, mysite.every local country code then it can be very useful and even essential.
Personally I prefer wildcards over the SANs just for flexibility as you don't have to re-apply and reissue a new SSL cert if you just wanted to have a new site on a whim e.g. setup mytest.mysite.com the power is back with you.
Dec 06, 2017 01:33 AM|Rovastar|LINK
SNI is only used for having multiple SSL certs on the same IP address.
If you have multiple different IP address for each site you don't need SNI
Although now all browser support it and only old don't (IE7 maybe doesn't) so it doesn't really matter.
Dec 07, 2017 03:55 PM|rlynch106|LINK
These sites are on 1 IP address.
Dec 07, 2017 04:00 PM|rlynch106|LINK
These sites will all be on the same domain and on the same server.
Could I get one certificate to use for all of the sites? Would it have to be a SAN or wildcard certificate or something else?
Could I then use the site name (Site1, Site2, etc.) for the host name in the SSL bindings?
I have incorporated SSL into a site once before, but that was only a single site on one server. I have never done multiple sites on the same server before.
Dec 08, 2017 08:10 AM|Yuk Ding|LINK
Ummm.... IIS binding host header should be a cname in the local DNS. so it should be the different host name. Otherwise, the sites could not be started.
If your website's domain is a.domain.com, b.domain.com,c.domain.com, you could of course use a *.domain.com wildcard certificate for all sites. However, if you use domain1.com,domain2.com,domain3.com, then you should use SAN certificate.
The difference between SAN certificate and multiple certificates only depend on whether the owner for the website are the same.
So you could use any certificate as you wish.
If your website have internal DNS, you only need to create cname for site1,site2,etc and then add host name to binding hos theader. However, if is is a public domain, please purchase it from domain provider.
Dec 08, 2017 02:59 PM|lextm|LINK
Now all are answered, but you still have no choice made.
First, learn how to generate self-signed certificates, using tools like OpenSSL.
Then, generate your own SAN/wildcard certificates and so on to test out all scenarios.
If you don't learn yourself, this discussion would go endlessly.
Dec 08, 2017 03:39 PM|rlynch106|LINK
If I had a test/dev environment, I would generate my own certificates and try different things to see how they work better. But, I only have a production environment and I will not play on that. This is why I am trying to get help with this here.
I do not know enough about how the host names work and if they need to be a FQDN and if DNS has any role in this.
Since it appears that the most important thing here is to give someone answer credits, I will mark the answer that gets me closest to solving my problem even though I still have questions on this subject.
Dec 09, 2017 02:19 AM|lextm|LINK
But, I only have a production environment and I will not play on that.
Interesting. You only need a Windows 10 machine (Professional edition would be good enough, but Home Premium should also work), which I would not call "high end".
DNS can also be simulated by manually modifying hosts file. Thus, you can build a test environment in about a few minutes and then play out the certificates.
BTW, except the Microsoft engineers who usually would like you to accept an answer, I don't think other participants care that much about "the credits". I enjoy efficient discussions on different scenarios, but hate lengthy threads when obviously a few
hand-on experiments can tell the truth. Just my five cents.