How configure SSL for an IIS Express site that uses multiple hostnames?
Asked Answered
T

2

8

My web application project encompasses multiple web sites served under the umbrella of a single IIS Express site. I succeeded in following Scott Hanselman's excellent blog post, and IIS Express successfully serves both http://foo.local and http://bar.local from the same web application root directory.

However, I need both sites to support SSL. Following Hanselman's advice, I can create an SSL certificate and "attach" it to a single IP-port combination.

makecert -r -pe -n "CN=foo.local" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
netsh http add sslcert ipport=0.0.0.0:443 appid='{214124cd-d05b-4309-9af9-9caa44b2b74b}' certhash=284475d4a4eb5c4d3ab7da4fdefa928186482376

That succeeds, but I am unable to repeat the process for the second site. Evidently only one SSL certificate can be applied to a single IP-port combination.

How can I make an SSL certificate that covers both https://foo.local and https://bar.local, or otherwise "attach" one for each site?

Tema answered 29/7, 2014 at 22:5 Comment(0)
T
11

jww's answer led me in the right direction. Beyond Hanselman's instructions, here's what I had to do.

First of all, I enabled SNI on my site bindings in IIS Express' applicationhosts.config. This just meant appending the sslFlags attribute:

<binding protocol="https" bindingInformation="*:443:foo.local" sslFlags="1" />
<binding protocol="https" bindingInformation="*:443:bar.local" sslFlags="1" />

(credit: Configure SNI On IIS8?)

Then instead of using makecert, I created a self-signed certificate using PowerShell's New-SelfSignedCertificate cmdlet:

New-SelfSignedCertificate -DnsName foo.local, bar.local -CertStoreLocation cert:\LocalMachine\My

(credit: How to create a Self-Signed SAN Certificate in Windows 8)

Beside that, I followed Hanselman's instructions to use netsh http add sslcert... to "register" the certificate for the IP-port, and to use the MMC "Certificates" snap-in to make it trusted.

Tema answered 30/7, 2014 at 15:49 Comment(0)
B
2

Evidently only one SSL certificate can be applied to a single IP-port combination...

You need IIS 8 or above to use multiple certificates. IIS 8 support Server Name Indication (SNI). See Server Name Indication (SNI) with IIS 8 (Windows Server 2012).


How can I make an SSL certificate that covers both https://foo.local and https://bar.local ...

Create one certificate. In the certificate, place both names in the Subject Alternate Name (SAN). Place a friendly name in the CN.

The CN should be a friendly name because:

  1. The IETF deprecated placing a DNS name in the CN
  2. The CA/Browser Forums deprecated placing a DNS name in the CN
  3. CN's are often displayed to users, so they should be friendly

... or otherwise "attach" one for each site?

Upgrade to IIS 8 or Server 2012.


Following Hanselman's advice... makecert -r -pe -n "CN=foo.local"

His advice is wrong here.

Bonanno answered 30/7, 2014 at 0:17 Comment(1)
Thanks, jww. The latest IIS Express leverages IIS 8's SNI support, so you led me in the right direction.Tema

© 2022 - 2024 — McMap. All rights reserved.