Setting Up A Wildcard Certificate in IIS 7, How to Avoid Those Certificate Mismatch Errors.
There are some articles that explain the need for a wildcard certificate, but not so many which discuss the steps to properly set this up in IIS 7 which was why I decided to write this article as it is a common situation we see here on the support team.
Background:
Imagine the following scenario. We have multiple sites (for example let us say site1.marei.com, site2.marei.com and site3.marei.com) which are bound to the same IP:PORT and are distinguished by their different host headers. We have an SSL requirement for each and have requested and installed a unique certificate for each. Now upon browsing to the sites, users will see certificate mismatch errors.
Why is this happening?
Well, we need to realize that an https request is handled through Kernel on IIS7 first. What happens is that the host name is encrypted when the client sends the SSL blob. Because the sites are using the same IP:PORT, IIS requires the host name as it is part of the binding to look up the correct certificate. However since the hostname is encrypted in the SSL blob, IIS is not able to look up the correct site as the binding is incomplete. In the end this means that IIS cannot decrypt the hostname which in turn will cause it bind to the first IP:PORT and will ignore the hostname giving certificate mismatch errors on the other sites.
What are the solutions?
There are three solutions to this issue:
1) We can keep the same IP for each site but change the SSL port to a unique value. This is not a very practical solution as users would now have to enter the port into the request as follows.
2) A second option is to keep all sites on the default SSL 443 port and give each a unique IP. This is another option and is definitely more practical than the first. But what about the situation where there is a limitation on the number of available IPs or then why even use host headers?
3) The third option would be to use a wildcard certificate. Here you will have the wildcard certificate issued to *.domain.com or from our example, *.marei.com. So long as the domain remains the same, any host header will satisfy the certificate requirements and you will no longer receive those pesky certificate mismatch errors. Here are the steps to set this up.
Setting up a Wildcard Certificate in IIS 7:
We will start from where the wildcard certificate has been successfully installed.
1) In IIS manager, setup the 443 binding to site1.marei.com as with the host name as in the following example.
2) Open command prompt with administrator privileges and goto %systemdrive%\Windows\System32\inetsrv
Here we will use appcmd to create the bindings for the other sites. You will know it was successful if you see "SITE object changed" after running the command. The command syntax is as follows:
appcmd set site /site.name:" <IISSiteName> " /+bindings.[protocol='https',bindingInformation=' <IP> :443: <hostHeaderValue> ']
Please see the following screenshot for reference.
3) Now in IIS you can view the bindings but please note, you can not make any changes or else the binding settings will be reset. Any changes will need to be made via appcmd we used in step 2.
4) Now you can test the sites verifying we are using https:// and you can see there are no longer any certificate errors on any of the sites. I will show a screenshot of site2 for reference.
See you next time and I hope this was helpful!
Cheers,
Matthew Reid
Comments
Anonymous
December 26, 2010
Thanks for shareEmail : info@ankomart.com - ankomart.com@gmail.comWebsite : http://ankomart.com - http://thitruongraovat.netAnonymous
July 24, 2011
This would be a great posting if it worked this way. When in IIS manager I don't have the option to provide a Host Name if I change the protocol to HTTPS. It works fine in HTTP but that option to name the Host Name isn't there in HTTPS.Any suggestions?Anonymous
August 02, 2011
Hi George,When you use the wildcard certificate, and it is ready, you will see the Host Header field is available to be configured. General steps are;Create Certificate request in IISIssue it from Certificate authority Complete the certificate request in IIS installation, the name must be *.domain.com format And then Bind this certificate, you will see the same UI as the post shows. FreistAnonymous
September 25, 2011
Works for me as in the article.Once you select a wildcard certificate (*.domain.com) from the dropdown, the Host Name section will become configurable. If you select an SSL certificate from the dropdown that is not a wildcard certificate the host name value will correctly not become configurable.Anonymous
November 06, 2013
I'm with George on this - the Host Name is grayed out and does not allow for an entry to be made.Anonymous
February 21, 2014
The comment has been removedAnonymous
March 27, 2014
Im with the other, article is useless, the option is greyed outAnonymous
May 07, 2014
The wildcard certificate has to have a friendly name that begins with a * or else the Host name field will not become enterable. E.g. wildcard.marei.com will not work but *.marei.com will.See www.mojoportal.com/.../using-a-wildcard-ssl-certificate-in-iis-7x.aspxAnonymous
May 27, 2014
What do you do when you don't have a private key on the cert? It disappears right after you install it.Anonymous
June 03, 2014
Can you explain why it is necessary to use appcmd to add the second and third sites? Why wouldn't using the binding dialog for each respective site to set the same bindings work?Anonymous
June 05, 2014
The comment has been removedAnonymous
December 08, 2014
When importing the certificate, it's important that the friendly name start with a *. Otherwise IIS does not pick up that it is a wildcard certificate, even if it is. (You can change the friendly name via mmc)Anonymous
May 06, 2015
Thanks for shareThis would be a great posting if it worked this way. When in IIS manager I don't have the option to provide a Host Name if I change the protocol to HTTPSWeb:Anonymous
December 23, 2015
I read in another post that in IIS 7.5 the gui will work fine and you don't need to use appcmd. Not true in my case. I still encountered the dreaded reset warning but this post worked like a charm.