Share via


Server Certificate Bindings and its restrictions in IIS 6.0 & IIS 7.x

For any client request, IIS uniquely identifies the website based upon the unique combination of IP+PORT+HOSTNAME, here I would be discussing about the confusion which roam around while binding the certificate.

Note: IIS 7.x UI does not allow you to provide Hostname, but in IIS 6.0 you can specify the Host Header while trying to bind the SSL Certificate.

SCENARIO 1: Ports are different but IP and certificate is similar. Negotiate Client Certificate : Disabled

Web Site Name

IP Address

Port

Host Name

Working??

Site1.Confusion.com

192.0.0.1

443

www.confusion.com

Yes

Site2.Confusion.com

192.0.0.1

444

www.confusion.com

Yes

Site3.Confusion.com

192.0.0.1

445

www.confusion.com

Yes

Below are the SSLBindings from the IIS server

C:\>netsh http show sslcert

SSL Certificate bindings:

-------------------------

IP:port : 192.0.0.1:443 Certificate Hash : beeaab550e1b7658c5a09780443f1db28246d08c Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 192.0.0.1:444 Certificate Hash : beeaab550e1b758c5a09780443f1db28246d08c Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled

I can access website using https://<HostName>:<PortNumber> , as shown below

https://www.confusion.com:443 or https://www.confusion.com:445

image

SCENARIO 2: Ports and IP’s are same but Certificate is different.

Web Site Name

IP Address

Port

Host Name

Working??

Site1.Confusion.com

192.0.0.1

443

www.confusion.com

Yes

Site2.Confusion.com

192.0.0.1

444

www.confusion.com

Yes

Site3.Confusion.com

192.0.0.1

443

www.IamFine.com

No

Starting the website will throw a error pop-up as shown below:

image

image

Explanation:

https://blogs.iis.net/thomad/archive/2008/01/25/ssl-certificates-on-sites-with-host-headers.aspx

Snippet from the above blog:

        It's a chicken and egg problem: The host name is encrypted in the SSL blob that the client sends. Because the host name is part of the binding IIS needs the host name to lookup the right certificate. Without the host name IIS can't lookup the right site because the binding is incomplete. Without the certificate IIS can't decrypt the SSL blob that contains the host name. Game over - we are turning in circles.          What IIS does under the covers is to ignore the host name. IIS binds the certificate to IP:Port and warns you when you try to bind a certificate to the same IP:Port combo with different host names.

Conclusion:

IIS uniquely identifies the HTTPS website based on IP+Port as the hostname is not available to it. So what do we do about it? There is definitely a solution. We can use Wildcard/SAN certificates to go around this problem.

Solution: Wild Card Certificate/SAN Certificate

We can bind Wildcard/SAN Certificate to multiple website with same IP and Port as the certificate hash remains the same across all the bindings.

We need to change the SSL Bindings for that specific website in order to get it working. Again as the following condition must be true IP+PORT+HOSTNAME.

Please refer the following blog on how to edit the Secure bindings for the website:

https://blogs.msdn.com/b/saurabh_singh/archive/2007/11/17/wildcard-ssl-certificate-in-iis-6-0-windows-2003-sp1-and-above.aspx

The above is applicable to SAN certificates too.

Comments

  • Anonymous
    May 22, 2012
    Nice article !!!
  • Anonymous
    January 27, 2015
    Very clear instructions. Thnkx Anil.