Re: Mulit-domain SSL cert installation

David,
Thanks for the detailed response. I understand this is a limitation with
SSL rather than IIS. Based on your information, I will probably stop trying
to make this work on a single IP address.

Thanks,
Joe

"David Wang" wrote:

Substitute multi-domain cert for wildcard cert in the documentation
and everything still applies. The number of domains of a certificate
does not affect IIS configuration.

The reason there is no explicit documentation with the words "multi-
domain cert" and "SSL host header" is because no one really wants to
configure things like that -- yes, it is possible, but it is poor
design -- everytime you want to host a new domain on that same IP with
a new host header, you have to purchase a new multi-domain certificate
and update every single website to use that domain. This is fine when
the number is small like 1, 2, or 3. But if it gets beyond that, your
design quickly fails to scale.

FYI: This is really not a problem with IIS -- this is really design
limitation within SSL and how people want to use it. SSL has no
concept of Host Header, which is an HTTP-level concept, on top of the
TCP level interaction that SSL operates at. Hence, "SSL Host Headers"
is really a smoke-and-mirrors features offered by any web server.

Bottom line -- if you want to host many SSL domain names, either:
1. Give an IP for each domain name and assign each a certificate
2. Use same IP and SSL Host Headers with wildcard certificate. Route
each hosted domain to its own wildcard name. i.e.
hosteddomain1.fixeddomainname.com and
hosteddomain2.fixeddomainname.com and configure a single
*.fixeddomainname.com certificate

Based on your description, you definitely did not follow instructions
-- please read the documentation I referenced earlier on how to
properly configure SSL Host Headers.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Jul 21, 6:36 am, Joe <J...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
David,
Yes, I have already read through that (and everything else I can find.) But
that article only refers to 'wildcard' certs, which are used for multiple
host names under a single domain name. I am seeking help in using a
multi-domain cert for multiple hosts under separate domain names. Can you
direct me to any documentation on this? I have been unable to find any, and
Godaddy's tech support is unwilling/unable to resolve the problem.

Thanks,
Joe



"David Wang" wrote:
On Jul 18, 5:42 am, Joe <J...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I am hosting multiple domains on my Win2k3/IIS 6 server using a single IP
address and host headers. For the past year I have had only one domain that
required an SSL certificate. Now I have two, and I learned the hard way that
I can't have 2 separate SSL certs on the same server with only 1 IP address.
Rather than use up one of my limited external IP addresses, I went to Godaddy
and purchased a multi-domain cert (not a wildcard cert) with one primary
domain and 2 secondardy names (SANs.) However, everything went downhill when
I tried to install the new cert. I exported and removed the original cert,
then installed the new cert on the new primary web site. I then installed
the existing cert on the other web site. At this point nothing worked. The
new primary site wouldn't start because port 443 was already in use, and the
original site wouldn't find its secure pages. Godaddy support said this was
beyond the scope of their knowledge (even thought they sold the cert.)

Does anyone have any experience with multi-domain certs? This is a
production web server and I can't do any testing during the day. Any help is
greatly appreciated.
Thanks,
Joe

I suggest starting with the IIS documentation of how to do SSL of
multiple domains over a single IP. If you follow its instructions and
understand the fundamental limitations of SSL in your scenario (no
matter what web server you use), you should be fine.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Librar...

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -

.

Relevant Pages

  • Re: Failure installing SSL certificate on SBS2003PremSP1 (incl. IS
    ... I decided to purchase a CA SSL key and replace the self cert on ... Basically I think the SBS web listener needs to be ... since both are working off the same certificate store. ...
    (microsoft.public.windows.server.sbs)
  • Heads Up: SSL defeated in IE and Konqueror
    ... SSL defeated in IE and Konqueror ... VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, ... tricky site owner signs an intermediate cert with another valid cert, ...
    (comp.os.linux.security)
  • Multiple Web Hosting Problems
    ... You cannot use SSL and Host Headers together because ... of the site imbedded in them, so one certificate can only ... >setting the New Web site up IIS with my Internal IP ...
    (microsoft.public.windows.server.sbs)
  • Re: Publishing SSL WebSite....Arghhhh
    ... "Revocation Information for the Security Certificate is not ... (yes/no/view cert). ... The SSL cert appears to be working fine now. ... he mentioned he saw an SSL session and no error message - go figure? ...
    (microsoft.public.isa)
  • Re: Publishing SSL WebSite....Arghhhh
    ... to web publishing that site and SSL so I entered my site's name in the ... certificate; when you export the web server certificate, ... I tried to re-export the cert from the web server but the options it ... How to export a certificate with the private key: ...
    (microsoft.public.isa)