Share via


Configure SNI On IIS8?

 Lets see here how to use SNI and what it can do for our secure websites.

  When we create a new web site it is optional to check the SNI Property: 

 

So now if we check ApplicationHost.config we will find the SNI enabled which is represented by a new configuration property sslFlags and value is “1”.  

     <binding protocol="https" bindingInformation="*:443:SniDemo" sslFlags="1" />

sslFlags could have different values that represent good combination between SNI (Server Name Indication) and CCS  (Central Certificate Store). I will explain in details later what CCS is and how to use it.

  • sslFlags = 0  Represents  No SNI
  • sslFlags = 1  Represents  SNI Enabled
  • sslFlags =2   Represents Non SNI binding which uses Central Certificate Store.
  • sslFlags = 3  Represents  SNI binding which uses Central Certificate store

 So Now SNI Demo website is supporting SNI;I have created another https website and called it None SNI Demo. Thus, lets compare the difference between SSL  bindings with and without SNI:

From CMD run "Netsh http show sslcert" Command that lists SSL server certificate bindings and the corresponding client certificate policies for an IP address and port. 

As you see below the main difference is that host name is already in the certificate binding. 

 

 

And here is the binding of each one of them 

            <site name="NoneSniDemo" id="3">
  <application path="/" applicationPool="NoneSniDemo">
  <virtualDirectory path="/" physicalPath="C:\inetpub\NoneSniDemo" />
  </application>
  <bindings>
  <binding protocol="https" bindingInformation="*:443:NoneSniDemo" sslFlags="0" />
  </bindings>
  </site>

<site name="SniDemo" id="2">
  <application path="/" applicationPool="SniDemo">
  <virtualDirectory path="/" physicalPath="C:\inetpub\SniDemo" />
  </application>
  <bindings>
   <binding protocol="https" bindingInformation="*:443:SniDemo" sslFlags="1" />
  </bindings>
  </site>

To use SNI, the client browser must support it in order to pass the host name to server. Most web browsers support SNI, but not all No version of IE less than 7 supports SNI or any version of IE on Windows XP.