Windows

Running multiple SSL IIS sites IIS7 and 7.5

Starting with IIS 7, Microsoft made major changes to IIS.  The look and feel of the entire interface is way different than what administrators were used to with IIS6.  All in all most of the changes have been a good thing.  Managing certificates in IIS7 + 7.5 is actually pretty intuitive and easy to do.  Most everything is wizard and menu based which makes managing certificate details much easier when you aren’t having to worry about syntax.  When it comes to running multiple SSL or port 443 enabled sites in IIS7 and above, we do have to break out the command line for some configuration when it comes to host headers and the use of this port.  Before we get into the particulars of enabling SSL for a site, we need to understand how IIS7 + deals with ports.

IIS 7+ does this by the use of “bindings” which refers to which ports and configurations are “bound” to a certain website.

iis71
We find the above menu, by simply clicking on a particular website found in our management tree on the left.  Once we click on “Bindings” we see a very minimalistic box that allows us to see and modify bindings to a particular site.

iis72

As you can see above, we only have port 80 bound and have the option to “Add” a binding.  If we click on one of the listed bindings, we then have the option to “Edit” and “Browse.”  Remove is only available if you have more than one binding.

iis73

Now that we understand how ports are bound to certain websites, let’s look and see how certificates are managed in IIS7+.  Before port 443 can be bound to a website, we must have a valid certificate in place to use.  In order to manage the certificates for our server, we simply click on the server name in our management tree in IIS and then we have the option in the right hand pane to manage “Server Certificates.”

iis74

In our case here, we are using a Godaddy Wildcard certificate for our webservers, so we need to Import this certificate so that our server will be able to use it to bind to port 443.

iis75

Prerequisite Steps

For our example in this post, we have already imported the Godaddy wildcard certificate to another IIS7 box in our environment.  The process to import this certificate into our other server involves exporting the certificate along with the private key to a .pfx file and having our password that we used available and ready as we will be prompted for this during the import.

So once we have clicked the “Import” button, we have the “Import Certificate” box:

iis76

We have copied the .pfx file certificate to our desktop to be available for import.

iis77

So after the import process, we see the server certificate available to us in our “Server Certificates” screen:

iis78
Adding the SSL Binding to the website:

After we have the certificate in place, we can then add the 443 SSL binding to our websites.  Navigate back to the Site bindings menu that we detailed earlier and view your bindings.  We will be “Adding” a binding to the site.

iis80

Notice in the “SSL Certificate:” box, it is still “Not selected.”  You will need to pull down the drop down box and select your SSL certificate that you imported using the process above.

After adding the SSL binding, we went ahead and removed the port 80 HTTP binding from our site as we only want it to respond to port 443.  Your bindings at this point should look something like this:

iis81


Starting the Websites and multiple Bindings:

After you have gone through the above process on at least one website and run through it on another site, you will receive the following message when trying to bind 443 to another website, IIS lets you know that there is another website using this binding and certificate.  Simply answer Yes to the message box.

iis82

 

At this point if you attempt to start an additional port 443 website you will receive the following error

iis83
Using the command line to set the host information for the binding:

Here is where we need to employ the command line, as you cannot edit the host information for the binding if it is an HTTPS port binding.

  • Open a command prompt and change to the directory: %WINDIR%\system32\inetsrv
  • Using the “appcmd” utility we can add the 443 binding and host information to all the websites we need….replace the information below with your site details and host information
  • appcmd set site /site.name: “Test1” /bindings.[protocol=’https’,bindingInformation=’*:443:’].bindingInformation:*:443:test1.test.local
  • Repeat the command for every website that you want to add host information to the 443 binding

Along with the command above, DNS host records will need to be added that point to all the hostnames we create using the command above.  Once the sites are configured with the host information, IIS will not complain about starting all the websites that are pointed to the same port.

iis84

Final Thoughts:

All in all the process is straightforward to add the SSL binding to a website in IIS7 or 7.5.  Knowing the tricks of how to add the additional bindings makes life easy for an administrator needing to run multiple sites using the same SSL binding.

 

Back to top button