Starting with IIS 7, Microsoft made major changes to IIS. The look and feel of the entire interface is way different than what administrators were used to with IIS6. All in all most of the changes have been a good thing. Managing certificates in IIS7 + 7.5 is actually pretty intuitive and easy to do. Most everything is wizard and menu based which makes managing certificate details much easier when you aren’t having to worry about syntax. When it comes to running multiple SSL or port 443 enabled sites in IIS7 and above, we do have to break out the command line for some configuration when it comes to host headers and the use of this port. Before we get into the particulars of enabling SSL for a site, we need to understand how IIS7 + deals with ports.
IIS 7+ does this by the use of “bindings” which refers to which ports and configurations are “bound” to a certain website.
We find the above menu, by simply clicking on a particular website found in our management tree on the left. Once we click on “Bindings” we see a very minimalistic box that allows us to see and modify bindings to a particular site.
As you can see above, we only have port 80 bound and have the option to “Add” a binding. If we click on one of the listed bindings, we then have the option to “Edit” and “Browse.” Remove is only available if you have more than one binding.
Now that we understand how ports are bound to certain websites, let’s look and see how certificates are managed in IIS7+. Before port 443 can be bound to a website, we must have a valid certificate in place to use. In order to manage the certificates for our server, we simply click on the server name in our management tree in IIS and then we have the option in the right hand pane to manage “Server Certificates.”
In our case here, we are using a Godaddy Wildcard certificate for our webservers, so we need to Import this certificate so that our server will be able to use it to bind to port 443.
For our example in this post, we have already imported the Godaddy wildcard certificate to another IIS7 box in our environment. The process to import this certificate into our other server involves exporting the certificate along with the private key to a .pfx file and having our password that we used available and ready as we will be prompted for this during the import.
So once we have clicked the “Import” button, we have the “Import Certificate” box:
We have copied the .pfx file certificate to our desktop to be available for import.
So after the import process, we see the server certificate available to us in our “Server Certificates” screen:
After we have the certificate in place, we can then add the 443 SSL binding to our websites. Navigate back to the Site bindings menu that we detailed earlier and view your bindings. We will be “Adding” a binding to the site.
Notice in the “SSL Certificate:” box, it is still “Not selected.” You will need to pull down the drop down box and select your SSL certificate that you imported using the process above.
After adding the SSL binding, we went ahead and removed the port 80 HTTP binding from our site as we only want it to respond to port 443. Your bindings at this point should look something like this:
Starting the Websites and multiple Bindings:
After you have gone through the above process on at least one website and run through it on another site, you will receive the following message when trying to bind 443 to another website, IIS lets you know that there is another website using this binding and certificate. Simply answer Yes to the message box.
At this point if you attempt to start an additional port 443 website you will receive the following error
Here is where we need to employ the command line, as you cannot edit the host information for the binding if it is an HTTPS port binding.
- Open a command prompt and change to the directory: %WINDIR%\system32\inetsrv
- Using the “appcmd” utility we can add the 443 binding and host information to all the websites we need….replace the information below with your site details and host information
- appcmd set site /site.name: “Test1” /bindings.[protocol=’https’,bindingInformation=’*:443:’].bindingInformation:*:443:test1.test.local
- Repeat the command for every website that you want to add host information to the 443 binding
Along with the command above, DNS host records will need to be added that point to all the hostnames we create using the command above. Once the sites are configured with the host information, IIS will not complain about starting all the websites that are pointed to the same port.
All in all the process is straightforward to add the SSL binding to a website in IIS7 or 7.5. Knowing the tricks of how to add the additional bindings makes life easy for an administrator needing to run multiple sites using the same SSL binding.