Re: Mulit-domain SSL cert installation

Substitute multi-domain cert for wildcard cert in the documentation
and everything still applies. The number of domains of a certificate
does not affect IIS configuration.

The reason there is no explicit documentation with the words "multi-
domain cert" and "SSL host header" is because no one really wants to
configure things like that -- yes, it is possible, but it is poor
design -- everytime you want to host a new domain on that same IP with
a new host header, you have to purchase a new multi-domain certificate
and update every single website to use that domain. This is fine when
the number is small like 1, 2, or 3. But if it gets beyond that, your
design quickly fails to scale.

FYI: This is really not a problem with IIS -- this is really design
limitation within SSL and how people want to use it. SSL has no
concept of Host Header, which is an HTTP-level concept, on top of the
TCP level interaction that SSL operates at. Hence, "SSL Host Headers"
is really a smoke-and-mirrors features offered by any web server.

Bottom line -- if you want to host many SSL domain names, either:
1. Give an IP for each domain name and assign each a certificate
2. Use same IP and SSL Host Headers with wildcard certificate. Route
each hosted domain to its own wildcard name. i.e.
hosteddomain1.fixeddomainname.com and
hosteddomain2.fixeddomainname.com and configure a single
*.fixeddomainname.com certificate

Based on your description, you definitely did not follow instructions
-- please read the documentation I referenced earlier on how to
properly configure SSL Host Headers.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Jul 21, 6:36 am, Joe <J...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
David,
Yes, I have already read through that (and everything else I can find.)  But
that article only refers to 'wildcard' certs, which are used for multiple
host names under a single domain name.  I am seeking help in using a
multi-domain cert for multiple hosts under separate domain names.  Can you
direct me to any documentation on this?  I have been unable to find any, and
Godaddy's tech support is unwilling/unable to resolve the problem.

Thanks,
Joe



"David Wang" wrote:
On Jul 18, 5:42 am, Joe <J...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I am hosting multiple domains on my Win2k3/IIS 6 server using a single IP
address and host headers.  For the past year I have had only one domain that
required an SSL certificate.  Now I have two, and I learned the hard way that
I can't have 2 separate SSL certs on the same server with only 1 IP address.  
Rather than use up one of my limited external IP addresses, I went to Godaddy
and purchased a multi-domain cert (not a wildcard cert) with one primary
domain and 2 secondardy names (SANs.)  However, everything went downhill when
I tried to install the new cert.  I exported and removed the original cert,
then installed the new cert on the new primary web site.  I then installed
the existing cert on the other web site.  At this point nothing worked.  The
new primary site wouldn't start because port 443 was already in use, and the
original site wouldn't find its secure pages.  Godaddy support said this was
beyond the scope of their knowledge (even thought they sold the cert.)

Does anyone have any experience with multi-domain certs?  This is a
production web server and I can't do any testing during the day.  Any help is
greatly appreciated.
Thanks,
Joe

I suggest starting with the IIS documentation of how to do SSL of
multiple domains over a single IP. If you follow its instructions and
understand the fundamental limitations of SSL in your scenario (no
matter what web server you use), you should be fine.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Librar...

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -
.

Relevant Pages

  • Re: Host headers in IIS
    ... We have the wildcard cert but have not been able to extend the main port 80 ... web apps the creation of the Web Apps creates my AAM but not my host headers. ... when I go into IIS 7 I cannot edit the host headers with the GUI. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: IIS 6 and SSL
    ... SSL cert binding is specific to a IP:Port and does not support host headers. ... If it is internal and you control all clients accessing the website, ...
    (microsoft.public.inetserver.iis)
  • Re: Mulit-domain SSL cert installation
    ... SSL rather than IIS. ... The number of domains of a certificate ... Use same IP and SSL Host Headers with wildcard certificate. ... multi-domain cert for multiple hosts under separate domain names. ...
    (microsoft.public.inetserver.iis.security)
  • Re: SSL and multiple websites
    ... Actually, I believe it is one cert per name, not IP. ... may be able to purchase certs now for wildcards such as *.companyname.com, ... It is true that host headers do not work with SSL, but you can still use one ... cert to host multiple web sites, as long as the name is the same or includes ...
    (microsoft.public.inetserver.iis.security)
  • Re: Do I really need a wild card certificate ?
    ... Wildcard cert is typicall more expensive then normal SSL cert, ... We use host headers because we have a few sites hosted on our webserver. ...
    (microsoft.public.inetserver.iis.security)