Wednesday, May 22, 2019

iis 7.5 - Securing Two Sub domains on IIS7.5 with SSL on port 443



I have two sub domains pointing at the same IP address i.e.



sub1.example.com




sub2.example.com



Each sub domain maps to a site (let's say sub1 and sub2, respectively) in IIS 7.5 on Windows server 2008 R2. Both sites are non-production sites (a dev and a release candidate).



What I'd like to do is enable HTTPS on both sites via SSL certificate(s) and have access to both sites on port 443. I have downloaded SelfSSL7 in order to generate certificate(s) to use, but I am having trouble with understanding how all the pieces go together.



As I understand it, I need to enable a HTTPS binding for each site via 



Right Click -> Edit Bindings... -> Add Https binding



Going this route does not allow one to edit the Host Name, which in the case of sub1.example.com I believe I need to set to sub1.example.com.



I can generate a certificate with SelfSSL7 on the command line using



SelfSSL7 /N cn=sub1.example.com /K 2048 /V 3650 /I /S "sub1" /P443 /A * /T


This adds the certificate under the Server Certificates in IIS 7.5 and also adds it as the certificate to use for site sub1. The Host name under the HTTPS binding for sub1 is still blank however.




Now, If I go and attempt to generate another certificate for sub2 using the above command (and substituting the cn name and site name appropriately), a message comes up



SSL Binding for *:443: already exists. Use /Q to overwrite


If I understand correctly, the first certificate that I have generated is being used for any host headers that come through on port 443. The end result being that a request to either https://sub1.example.com or sub2.example.com are both going to the sub1 site.



How can I configure this correctly for what I'd like to do. I'm either missing a step or I misunderstand how certificates work. Any help would be greatly appreciated and I can add more details if necessary.


Answer



No, you cannot do it -- IIS does not support different certificates on the same port -- only one unique SSL Certificate per IP:port pair (search on this site -- plenty of answers for similar questions, for example: Using several SSL certificates on same IP with IIS 7 ).




Basically you have 2 choices:




  1. Put each site on different HTTPS port: for example 444. You access such site with port number included in URL (which is perfectly fine when used for development or when putting non-important site on SSL) -- http://sub2.example.com:444/


  2. Generate/Obtain wildcard certificate (*.example.com). This site has instructions how then one such certificate can be used by multiple sites: http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...