Wildcard SSL certificate in IIS 6.0, Windows 2003 Sp1 and above


Here I will be talking about configuring SSL wildcard certificates in IIS 6.0 on Win2k3 SP1 and above.

You may have a scenario wherein you want to have the same certificate installed for multiple Websites. Now in a normal scenarios this is not possible.

What I mean is you cannot have the same certificate installed on multiple Websites. To achieve a similar functionality you need to get a wildcard certificate from a Certificate Authority.

A wildcard certificate can be applied when you have the same end-domain name for all your Websites wherein you want to install the certificate.

Let’s say you have Websites like www.test.com, mail.test.com and hrweb.test.com. Here the same end-domain name is present which is test.com.

Also remember that you can install the certificate for all such Websites when all of them are running under the same IP/Port combination. Here host headers will be the identifying criteria for Websites.

So let’s say you have the following configuration:

WebSite                   Host Header Value                  IP Address                Port             SSL Port
==================================================================
Test1                          www.test.com                      10.0.1.1                     80                  443
Test2                          mail.test.com                        10.0.1.1                     80                  443

Test3                          hrweb.test.com                    10.0.1.1                     80                  443

and you want to use the same certificate for all the above Websites, Wildcard certificate is a viable option.

Here are the steps to obtain a wildcard certificate through IIS manager:

-In IIS Manager, expand the local computer, and then expand the Web Sites folder.

-Right-click the Web site for which you want to obtain a wildcard server certificate, and then click on Properties.

-On the Directory Security tab, under Secure communications Button, click Server Certificate.

-In the Web Server Certificate Wizard, click Create a new certificate.

-Follow the Web Server Certificate Wizard, which will guide you through the process of requesting a new server certificate. You can have any name in the Wizard which shows Name and Security Settings. On the ‘Your Site’s Common Name’ page, type a name in the Common name box, using the following format:
*.<sitename> for example, *.test.com (as in our scenario).

By default, the certificate request file is saved as C:\Certreq.txt, but the wizard allows you to specify a different location of your choice.

-Click Finish to complete the wizard.

After you receive the wildcard server certificate from the Certification Authority, assign the same certificate on all Web sites that have the same IP/port binding and are distinguished only by the host header name.

Here is a Screenshot of the wildcard certificate that we got for our *.test.com sites.

image

Now at this point if you try to access any of the Websites you will see that all of the HTTPS responses come from one specific site.

What I mean is that if you access https://www.test.com, https://mail.test.com or https://hrweb/test.com you will get the response from one site only.

You won’t get the corresponding web pages from different Websites depending upon the site in URL. You will  also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding (without of course some extra settings). If you try to start the other Websites you may see something like this below:

image

Now, the next most important thing is to follow the script below:

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “:443:<host header>”                       <— [It’s not case sensitive]

where host header is the host header for the Web site, for example, www.test.com or mail.test.com.

e.g.

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “:443:www.test.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “:443:mail.test.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “:443:hrweb.test.com”

Now once we have these settings in place for the Websites you should be able to browse to the Websites. You will also be able to start all the Websites without any issues.

Ensure that you do not modify any of the SSL related settings in the IIS manager like host header etc. after doing the changes in the metabase.

Finally have SSLDiag handy in case you get into issues for any general SSL related troubleshooting 🙂

Comments (89)

  1. Here I will be talking about configuring SSL wildcard certificates in IIS 6.0 on Win2k3 SP1 and above

  2. /dev/null says:

    Thanks for sharing this info and making it clear enough for me.  Very helpful, thanks.

  3. Aloy says:

    I am not able to get the wildcard cert. my company is using its own portal to obtain certificate from verisign.

    Here is the error i am getting:

    Your request contains a dnsName that is incorrectly formatted.

    The offending name is: *.subdomain.domain.com

    Support Information: 35DB

  4. Saur212 says:

    Hi Aloy,

    I don’t see a reason as to why it should fail. Have you checked with the vendor which issues the wildcard cert, in this case it seems Verisign. Also before that, have you checked going through IIS certifticate wizard to request for a new certificate and see if that fails too. Let me know. Also where exactly do you see the error.

  5. John_R says:

    Thanks. Your explanations are crystal clear until the csript explanation. My problem is that I don’t see any correlation between <site identifier> and the web sites present in IIS Manager. I have run this command to enumerate the web sites:

    cscript.exe adsutil.vbs enum_all /P

    The above command’s output lists my web sites as numbers (e.g. [33430808]) instead of the human-readable names used for them in IIS Manager. How can I get my web sites to list out as something other than numbers via the command line?

  6. Saur212 says:

    Hi John, thanks for your response.

    Not sure if I got your question correctly.

    If you want to see the listing of a website with its corresponding identifier, go to IIS manager console, select Web Sites (at the global level), and then on the right pane you will see the columns: Description (which shows the friendly name) and Identifier column (which shows the identifier corresponding to the website on IIS 6.0).

    Or else, Right click on a website -> Properties -> Web site.

    Under enable Logging section, click on Properties -> at the bottom you will see Log file name, which will have the identifier for the website in the format W3SVC<ID>exyymmddhh.log.

    Not sure if this what you had in mind. Let me know if you are looking for some scripts etc to get the friendly name and its corresponding identifier. You can check this link to run a VB Script from cmd prompt http://blogs.msdn.com/david.wang/archive/2005/07/13/HOWTO_Enumerate_IIS_Website_Configuration.aspx

    Hope this helps.

    Thanks!

  7. John_R says:

    Thanks for your response, which fully answers my question.

    Best of luck with your Blog.

  8. atucker says:

    I was wondering, if you wanted to do this is a wildcard certificate required or can you get an SSL certificate for each subdomain you make?

  9. Saur212 says:

    Hi atucker,

    Yes, you can definitely get different SSL certificates for each sub-domains. It’s up to an individual as to which route s/he wants to take.

    Having one wild card cert across all sub-domains will help in the administration purpose, consistency and convenience may be. I hope i understood your question correctly.

  10. KSI says:

    This will only work with a wildcard cert as only one cert is actually served.  So if you are all right with having your users click on the continue button once they are provided with the IE warning then fine it works great.  Still not the best solution for hosting multiple domains.

  11. sg says:

    Saurabh – great article. I read your blog after reading the MS Technet article (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true) which was not clear about the site identifier to use.

    However, as one of the earlier comments – two issues that remain to be solved:

    a) users will get IE warning which in IE7 has become more "frightening" for non-tech savvy users – I guess the solution is to specify separate certificates for each domain you want to host.

    b) do the commercial third-party certificate authorities issue a wildcard certificate?

  12. Saur212 says:

    Hi sg, thanks.

    Regarding your concerns,

    a). I wonder why users will get an IE warning. Users should not get a security alert in IE at all if you have used the Common Name while requesting the certificate through the IIS wizard to use *.abcd.com etc.

    If your wild card cert shows *.abcd.com in the "Issued to" section, then when you access a site like test.abcd.com, mail.abcd.com etc you should not get an alert at all. Let me know if we are on the same page and I will try to clarify it more clearly.

    b). Yes, 3rd parties like VeriSign etc do issue wildcard cartificates.

  13. sg says:

    Hey Sourabh – I meant IE security alert which in IE7 is worded a little too strongly and frightens non-tech users.

    One question on the identifier for the websites, I noticed in IIS6 that while system created site such as Default Web Site has identifier 1 and Sharepoint has 2 – the user created ones have a really long number. I wonder how is this number generated and is there a way to manage it.

    I also noticed that Symantec Mail Security picked up the next available single digit number whereas the user created sites have anywhere from 6 to 12 digits.

  14. Saur212 says:

    Sg, you are right, IE 7 shows a more esoteric alert :-), that’s true. But again, if we have the SSL cert correctly set, IE won’t get a chance to prompt with an alert to the end users.

    Anyways, coming back to your other question, yes, the user-created web sites have long random site identifiers. It’s actually based on random sequence and doesn’t have any ill-effects as such. Certain softwares like SharePoint and Symantec do check for next available ID that can be used etc.

    You can set the site identifier of your own choice by following the command below:

    C:InetpubAdminscripts> Cscript adsutil.vbs move w3svc/<existing_Identifier>   w3svc/<new_identifier>

    e.g.

    >cscript adsutil.vbs move w3svc/12345678  w3svc/10

    Your website may get stopped after this, so ensure you start the website again after executing this command.

    Hope this helps.

  15. Joe says:

    Hi

    I set up WSUS without https.  Another admin set up our numara help desk on the same server without giving another default site folder in the iis. (I have to click on "default web site" folder / properties / directory security to get to the sever communication opetion)

    When I create the certificate how would it impact the wsus?

    Any idea if these are statis files? Any idea if I can create another site and move the driectory path to new location?

    The numara product was migrated to this wsus server – the old server has it own wild card certification – can I copy/install it to this server?

    Thanks

    Joe

  16. Saur212 says:

    Hi Joe,

    I am not sure I got what you really asked for. Sorry.

    Let me try answering what i understood.

    If you have WSUS without SSL as a web site on the server and if you are trying to install certificate for another web site on the same server it would NOT impact the first site. Your WSUS is listening on port 80 (by default unless you changed the port) and SSL enabled site over https listens on port 443 (by default unless modified).

    Yes, you can copy and install the wild card cert from the old server to this server for numara product site.

    Let me know if I missed any of your requirements.

    Hope this helps!

  17. Joe says:

    Hi

    Both the WSUS site and numara helpdesk site runs on 80 at the moment.

    We want to make it ssl.

    1)Is it alrite to running both sites on "default web site" space

    2)You are saying I can use my current wild card ssl certification on this space

    I dont see anything wrong with since the numara site os pointing to an alternate path. Numara has an application pool. I cannot just create 1 site with ssl for my current set up.

    Since the root file only shows the ability to addthe server certification – everything under that the server certification option is greyed out.

    Thanks for your help. I’ve copied the old certs.

    Any thoughts?

    Joe

  18. Saur212 says:

    Hi Joe,

    Guess we can talk to understand better about the problem in hand.

    Please email me your number (if you are in US) at xxxxxxxxxxxxxx.

  19. Joe says:

    Hi –

    My issue is resolved. Thanks for putting this up for IIS

    Thanks

    Joe

  20. Saur212 says:

    People often enquire questions/concerns related to SSL wildcard cert etc. Questions that come directly to me via email and is not posted in this blog/comments section, I will try to add them here in case it is of value to people having similar questions/concerns around the subject. Here is the first one:

    ====================================

    Hi Saurabh,

    I have just found your article (Wildcard SSL certificate in IIS 6.0, Windows 2003 Sp1 and above) and I was wondering that maybe you could help me to find some answers.

    We just purchased an wildcard certificate and I’m having some issues on setting it up on our IIS server.

    Currently I have the same structure as the one from your blog:

    The problem is that this is a production server and I don’t want to screw things up. That’s why I have these questions:

    1. Do I have to get rid of the existing Host Header Value before I do the binding?

    ans: > No, you don’t have to remove the host header entries.

    2. Can the Test2 (for example) be accessed by http after I do the binding for the main one (www.test.com)

    (the reason why I’m asking this would be because I don’t want to do the binding for all existing subdomains yet)

    ans: > Yes you can access any other site including http://www.test.com over HTTP without issues. The problem arises when you try to access a site over SSL after installing the cert and not having the right bindings.

    3. When I do the binding for http://www.test.com does it kick off the customers that are on the other websites (subdomains)?

    ans: > No, it won’t kick off customers who are on the other sites/subdomains. Users get kicked off if by any chance you recycle the IIS worker process, which won’t occur here.

    Thanks,

    Adrian Mic

  21. Manish says:

    Hi ,

    how i can create sub domain under the existing domain

    Thanks,

    Manish

  22. Saur212 says:

    Hi Manish,

    You need not create subdomains unless it is required in your web site architectures. what i mean is if *only* you have sites in the form http://www.microsoft.com, mail.microsoft.com etc you need to have subdomains and hence the need fro Wildcard certs.

    If you want to have such a structure for your sites you can add host headers for these sites in the IIS mmc in the form of xxx.domain.com where xxx is www, mail etc. These are subdomains. Let me know if this is what you were looking for.

  23. Manish says:

    Hi Saurabh,

    now i have create sub domain. the senerio is like below.

    i have three site like

    http://www.test.com

    http://www.mail.test.com

    http://www.frm.test.com

    know i have bought a wildcard certificate for *.text.com

    what i need is to secure the http://www.mail.test.com only, and remaining site should not be secure by SSL.

    hope you get what i need.

    Thanks in Ad.

  24. Saur212 says:

    Hi Manish,

    If you just want to secure http://www.mail.test.com you need not even have a wild card certificate. Wild card certificate is recommended when you want a certificate to bind to *multiple* sites.

    Anyways, here you just need to install this certificate as usual on the http://www.mail.test.com and don’t install the certificate on any other sites (since they are not required to be secured).

    Access http://www.mail.test.com over SSL and you should be good.

    Chill!

  25. vinnekk says:

    Hello Manish,

    Great thread. I am not IT person, just curious how it works and one part of process eludes me. Maybe my question isn’t right here because this is SSL and my thought is host header / site related. If i should post elsewhere please let me know.

    My senerio:

    main site = test.com ; home dir = c:test  IP: 1.2.3.4

    subdomain = driving.test.com ; home dir = c:testdriving IP: 1.2.3.4

    My Question:

    test.com created as website in IIS

    driving.test.com / http://www.driving.test.com setup as host headers under test.com binding to IP: 1.2.3.4

    When browsing to: http://driving.test.com  how does default doc in the c:testdriving directory get loaded? Is there a step i am missing? Any thoughts are greatly appreciated..

    vinnekk

  26. Perfect!  This is exactly what i needed.  Could not find any other site that had that last part with the cscript.

    Big thanks!

  27. Saur212 says:

    Hi vinnekk, thanks!

    As answered in the other post for your similar comment, if you have multiple host headers pointing to the same web site you can load the contents of this site with any of the host header names. All the host headers here are pointing to the same web site and hence the same content will be loaded.

    However, with that said, i see that in the above scenario you are trying to load different content (c:testdriving) although your URL (http://driving.test.com) is added as a host header to the same web site as http://test.com. http://test.com is pointing to c:test. Hence content from c:test will be loaded here and not from c:testdriving even if you are using driving.test.com.

    Host headers are just kind of an ALIAS. If you want to load different contents for two different URLs, you need to ensure they are pointing to two different sites and not to the same site as above in your case.

    Hope this helps.

    Saurabh

    [Also in case you have time go through this post of mine to get a more detailed understanding of host headers etc.

    http://blogs.msdn.com/saurabh_singh/archive/2007/08/02/an-area-of-confusion-with-host-header-ip-and-port-combinations-within-iis.aspx]

  28. Dave Curtis says:

    Why do I get this message in the event log?  I have followed all of the required steps for a wildcard cert.  What does the message mean?  Is it referring to my other ssl site?

    Thanks for the info.

    Dave

    Event Type: Error

    Event Source: W3SVC

    Event Category: None

    Event ID: 1113

    Date: 10/2/2008

    Time: 9:56:43 AM

    User: N/A

    Computer: WWS10-003

    Description:

    One of the IP/Port combinations for site ‘1594238194’ has already be configured to be used by another site.  The other site’s SSL configuration will be used.  

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  29. Saur212 says:

    Hi Dave,

    If you are using the Wild card cert for the Web sites, and have proper settings for SecureBindings, then you can safely ignore this error. If you are not seeing any issues with accessing your web sites with the correct Certificates installed on them ignore this all together. This is a benign message and is a remnant of days when SSL was not supported on host headers (Pre-SP1 on win2k3).

    Hope this helps!

    Saurabh

  30. David Curtis says:

    Thank you!  I suspected as much, but it is a fine thing to get a positive response.

    I appreciate it.

  31. Jon Sagara says:

    Very nice.  Got my sites working.  Thanks!

  32. Kashif says:

    HI,

    I just installed a UCC 5 domains certificate from godaddy onto the servers. After installing "same" certificate on two "hosts", I wasn’t able to get the other website to start:

    Cannot register the URL prefix ‘https://*:443/’ for site ‘123456789’. The necessary network binding may already be in use.

    I gave the above method a shot and it seems to be working fine for the time being.

    I was just wondering if there is a way to "undo" this change in case something goes wrong.

  33. Saur212 says:

    Hi Kashif,

    I guess when you say "the above method" and "undo changes" you mean the command that you ran through adsutil.vbs, correct me if i am wrong. If that’s the case, you can undo the changes by deleting the above settings as follows:

    To view the current setting:

    > cscript.exe adsutil.vbs get /w3svc/1/SecureBindings

    To delete the current setting:

    > cscript.exe adsutil.vbs delete /w3svc/1/SecureBindings

    If before doing the changes it was set to SecureBindings as ":443:" etc. you can revert back to this by setting the old value.

    Hope this helps!

  34. Bill Green says:

    Perhaps I missed the answer to my question in the comments (all the comments very helpful though).  I have a single IIS box, but two different sites I need to use SSL with.  I purchased two seperate SSL certs (one for each site).  

    Is it possible to use each SSL cert for the seperate sites on the same box without having to buy a wildcard cert?  As with many govt agencies lately, money is tight and I will get no end of grief if I have to spend additional money after buying the two seperate certs?

  35. Saur212 says:

    Hi Bill,

    You can use the same cert for multiple websites on the same server provided the sites are specifically bound to *different* IP addresses or *different* ports. They should not be running on "All Unassigned" if you intend to keep the same port number (like default 443). In case you are okay to run the sites on different SSL ports you can use the same IP address (or All Unassigned) for these sites.

    Refer to this, http://support.microsoft.com/kb/187504/en-us

    Also if using any of the above methods you install the same Cert on multiple sites you will get a security alert because of the hostname mismatch in the SSL transaction over https. You can fix this part by adding Subject alternative Names (SANs) for the certificate while requesting it from the CA. If you are using MS CA refer to this…http://support.microsoft.com/kb/931351

    else contact 3rd party CA vendor.

    Hope this helps!

  36. Andy says:

    Hi,

    I have been using the method here for a wildcard SSL cert in IIS6 for a few months and it works fine.

    however, I deleted a subdomain website and then recreated a new website in IIS6 with the "same" home directory on the W2003 server, added my new "different than before" host header: sitename1234.domain.com and added the secure bindings and it works fine.

    But, I notice the old URL subdomain still works? I dont know the old sites ID (Identifier as I deleted it) to delete it in DOS, so can I view it or delete old Site ID’s? as if not this would be a security threat?

    so example, same home directory:

    https://site2.domain.com ID 12***** (deleted – not known )

    https://site3.domain.com ID 1234567 (new site, same folder in IIS)

    both URLs work?

    any ideas how to view the old ID binding and to delete it?

    Thanks. Andy

  37. Saur212 says:

    Hi Andy,

    When you say "But, I notice the old URL subdomain still works? " does that mean you are able to access your old website with the name http://site2.domain.com. If that is the case it could be that you have a DNS/Hosts entry for the host header site2.domain.com which still points to the same server. So even though you have deleted this old site it is actually pointing to your new site and since both of them point to the same physical file path things look fine at the exterior. Hope I am not confusing you.

    Also you can open the metabase.xml file from %systemdrive%WINDOWSsystem32inetsrv in a notepad and search for the old site host header. It may be that a stale entry is still left in there…but I strongly doubt this should allow your site to be accessible from the browser.

    I suggest checking again the DNS/hosts mapping for the old site URL. Try a PING to the above URL and see where does it point to. BTW, does it work the same way even without SSL (assuming your site can be accessed without SSL)?

  38. Andy says:

    Hi Saurabh, thanks for your update to my question.

    I think it could well be DNS, I will check this and let you know if it fixes my problem.

    Thanks, Andy

  39. Andy says:

    Hi,

    yes it was a wrong DNS entry.

    thanks for your help.

    Andy

  40. is the comment moderated? – please delete this if it is – just making sure that my last comment was indeed posted.

  41. DP says:

    I have a question, what if I have one website, accessible via 2 names. IE test.domain.com and live.domain.com.  The same site, same identifier, how would I install a cert for both? If I install 1 cert for test.domain.com it throws a cert warning for live.domain.com saying the cert is owned by a different site.  

    I assume wildcards won’t work because its only 1 site.  How would I got about getting a cert for each URL, so that there is no warning and the user is none the wiser?

  42. Saur212 says:

    Based on what I understand you want to access the same web site with two different URLs and ensuring that the SSL connection doesn’t throw a security alert for either of them. If this is what you have in mind then refer to this article http://support.microsoft.com/kb/931351.

    [I wish they could have used a better title for this article]

    You need to add Subject Alternative Names (SANs) corresponding to as many URLs as you have for the same site. Let me know if this is what you need.

    tnx!

  43. Berland Inc. says:

    Amazon EC2, AspDotNetStoreFront and Multiple Domains

  44. berland inc. says:

    Amazon EC2, AspDotNetStoreFront and Multiple Domains

  45. Stephan says:

    What if I have multiple subdomains on different servers all running IIS 6.0.  Can I still use a wildcard SSL on all of the servers?

    The subdomains match the server names under the domain.

    Thanks

    Stephan

  46. Saur212 says:

    Stephan,

    Yes you can use Wild card certificate but what is the logic behind it? Wildcard was suggested to ensure we could run multiple SSL based sites on the same server using the same cert. If you are planning to deploy different sites (although with same end-domain name) on different servers there are no restrictions which would have prompted users to go for Wildcard SSL in the first place. They are independent certs even though they are wildcard certs when deployed on different machines.

  47. Lester says:

    Would this cause any conflicts?:

    C:InetpubAdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings ":443:www.test.com"

    C:InetpubAdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings ":443:test.com"

    So far, I have an SSL certificate secured on http://www.test.com and my SSL certificate also secures ‘test.com’, as well, but I didn’t do that in the securebindings yet.  Whenever I access ‘test.com’, I get a "Bad Request (Invalid Hostname)"

  48. Saur212 says:

    Yes, I don’t see it as a good option for the other site.

    Wildcard should be used for multiple sites wherein they have the same end domain name (like *.test.com here) and they should have at least some different name for the prefix in the URL, like www, mail, etc.etc. In your case I don’t see any prefix in the host header for the 2nd website which seems to be just test.com.

    My best bet would be to have something added to the beginning of the 2nd website, like <abcd>.test.com and then add the secure binding for it like ":443:<abcd>.test.com".

  49. Lester says:

    actually, to comment on my previous post, my site identifier will be the same – since they are both the same site. Would this cause an issue?  I’ve already setup the secure bindings and host header for ‘www.test.com’ only.  So is there a way I can "add", ‘test.com’ to this as well or do I have to do this separately?

  50. Saur212 says:

    Okay, so in that case wherein both the URLs are pointing to the same site you will get Bad Request error as expected because you have the securebindings mapped to one of these Urls. If you did not have securebindings mapped at all to any of the urls both the urls should have worked.

    To add multiple securebindings entry to the same website for different urls here is the command you need to try:

    Cscript adsutil.vbs set w3svc/<SiteID>/SecureBindings ":443:adv.contoso.com"

    ":443:sales.contoso.com"

    In your case run this cmd and you should be good.

    cscript adsutil.vbs set w3svc/<SiteID>/securebindings ":443:www.test.com" ":443:test.com"

  51. Lester says:

    Thanks for your reply Saurabh!  Since I’ve already created the secure bindings for just ‘www.test.com’, is there a way I can open this up and edit it and add ‘test.com’?  Or do I just simply run this command and again and enter the two sites, as instructed?

  52. Saur212 says:

    Np, yes you can rerun the same command with the modified parameters.

  53. Lester says:

    Thank you, Saurabh!  That worked brilliantly!

  54. Allen says:

    Hi,

     I’ve installed a wildcard cert for two sites (subdomains, both) and run the adsutil.vbs as described, but I get a 400 (Bad Request) error when attempting to browse to the site.

    I’m using "all unassigned" IPs, is that a problem?

    If any more information would help, I’d be glad to provide.  Thanks a great deal for your post, it’s been quite helpful

  55. Saur212 says:

    Hi Allen,

    I would request you to send me the metabase.xml file from the IIS server where we are seeing the problem.

    Please contact me directly at xxxxx@yyyy.com[deleted]

    tnx

  56. karen.pertierra says:

    hello,

    I tried you suggested commands:

    cscript adsutil.vbs set w3svc/<SiteID>/securebindings ":443:www.test.com" ":443:test.com"

    but all my subdomain redirects to the main website.  For example, the SSL certificate is:  *.test.com,

    https://test.com works perfectly.

    But https://admin.test.com redirects to https://test.com

    Any workaround?

  57. Karen, the above cmd you ran is meant for URLs that are pointing to the same site. It seems in your case your URLs are pointing to different sites. In such a case you need to follow the cmd mentioned in the post and not the one you have tried.

  58. Roneil says:

    Saurabh, brillant article and comment responses.

    One question I could not figure out, if each of my subdomains is assigned a different IP address instead of all assigned to default, would this make any difference, of we can still put wildcard certs up on each of these sites with a different IP address as long as the base domain is the same for all the sites.

    Thanks

    Roneil

  59. Saur212 says:

    Roneil, thanks for the kind words :-).

    Regrding your question, I haven’t tested this but I feel there should not be an issue around this. Are you getting into some issues?

  60. Darren Thompson says:

    Great article.

    When i look in my C:InetpubAdminScripts folder, i don’t see cscript.exe even though i have Win 2003.

    Is this something that is supposed to be there or i need to download it?

    Thanks

  61. Saur212 says:

    Darren,

    By default when you install IIS it gets copied to the above location. Check to ensure you don’t have some other drive as the system drive.

    Or else you can just copy it from any other Win2k3 server which has this file.

    tnx

  62. Darren Thompson says:

    Not sure what I’m doing wrong but all I get when I type this in is an error.

    What I’m typing in at the command prompt:

    c:inetpubadminscripts>cscript.exe adsutil.vbs set /w3svc/690117/securebindings ":443:[websitename]"

    Error:

    ‘C:inetpubAdminScripts’ is not recognized as an internal or external command, operable program or batch file.

    Any thoughts?

  63. Michele Memè says:

    Great article and well set out.

    Thanks

  64. Bob Hartl says:

    I understand about how to configure SSL Host Headers.  In particular I noted this suggestion:

    cscript adsutil.vbs set w3svc/<SiteID>/securebindings ":443:www.test.com" ":443:test.com"

    I am interested in the scenario where I have a wildcard certificate for "*.test.com".

    The example above suggests that SSL Host Headers works not only for subdomains of test.com:

    sub1.test.com

    sub2.test.com

    etc.

    — but also for the root domain "test.com" itself.  So two questions:

    Q1) Do SSL Host Headers work in this way — where if you have a wildcard cert for *.test.com, then using SSL Host Headers you can use this wildcard cert not only for sub1.test.com and sub2.test.com, but also for the root test.com?  Does this work?

    Q2) Can you specify two names — e.g. http://www.test.com and test.com on a single SecureBindings command (and also specify both names as regular host headers for the web site in question)?   If the web site is configured for requiring SSL, then do https requests work for either http://www.test.com and test.com?  Does it work without getting any "the name on the certificate doesn’t match the URL" error?

    Thanks!

  65. Saur212 says:

    Bob, am sorry for the delayed response..i was OOF last week. Are you still looking for an answer to your last comment?

  66. Marcus Dempsey says:

    Hi, nice Blog on widecard SSL.  I have a question which I can’t seem to get working correctly.

    I have a number of web servers which have a number of websites, one of my sites needs to have a wildcard certificate assigned to the site, however there can be many hostnames assigned against the domain where the wildcard certificate is assigned to.

    How do I bind this wildcard to any number of hostnames – i dont want to have to create hundreads of hostheaders.

    example:

    wildcard cert – *.domain.com

    any number of possible hostnames for example:

    site1.domain.com

    site2.domain.com

    ..

    ..

    site100.domain.com

    I tried to execute cscript.exe c:inetpubadminscriptsadsutil.vbs set /w3svc/1159510216/SecureBindings "10.0.0.1:443:*.domain.com"

    But when trying to browse to one of the valid domains I get a message saying that this site is not protected, certificate is only for *.domain.com

    Can you help?

  67. Saur212 says:

    Marcus, you cannot run multiple sites using the same IP and port for SSL without wildcard cert (not sure if I got it correctly). You need to run the command in the following format:

    cscript.exe adsutil.vbs set /w3svc/1159510216/SecureBindings ":443:site1.domain.com" ":443:site2.domain.com" etc.

  68. Marcus Dempsey says:

    Thanks, thought as much, do you know what the limit is for adding secure bindings to hostheaders via that command?  I only ask because we may have at least a hundred or so over the coming months.

  69. Saur212 says:

    AFAIK, there is no such upper limit. I would suggest to add the entries for at least 2-3 sites as per the command and browse the site and see if it works as per your expectations. If yes, then you can go ahead adding more without a limit.

  70. cthies says:

    I just used the above SecureBindings script for a primary URL and three subdomains.

    http://www.website.com

    sub1.website.com

    sub2.website.com

    sub3.website.com

    Everything worked fine for 10 minutes then the whole site crashed.  I tried to remove the certificates and it still is down.  How is the script for the SecureBindings removed?  

    Thanks for any help.

  71. cthies says:

    This is a second attempt to post this.  What is the process to REMOVE the script that changes the SecureBindings?  

  72. Saur212 says:

    Cthies, am sorry for the delayed response, i was away on vacation and had no network access (Ladakh is one such place ;-)).

    Regarding your questions, you can run the following command (assuming your site is running on Port 443)

    >cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:"

    Hope this helps, do feel free to engage me if you have further questions, and am again once more sorry for the delayed response.

  73. Theo San Juan says:

    Saurabh,

    I would also like to know the answer to Bob’s Question about the root test.com. I am in the same situation where I have a wild card certificate.  Everything works fine with the host headers but when I add the root as a host header mydomain.com.  But when I browse to it https:\mydomain.com I get the Mismatched Address error in IE 8. Any suggestions?

    Thanks.

  74. Saur212 says:

    Answer to your/Bob’s questions:

    Q1) Do SSL Host Headers work in this way — where if you have a wildcard cert for *.test.com, then using SSL Host Headers you can use this wildcard cert not only for sub1.test.com and sub2.test.com, but also for the root test.com?  Does this work?

    => Yes, it works!

    Q2) Can you specify two names — e.g. http://www.test.com and test.com on a single SecureBindings command (and also specify both names as regular host headers for the web site in question)?   If the web site is configured for requiring SSL, then do https requests work for either http://www.test.com and test.com?  Does it work without getting any "the name on the certificate doesn’t match the URL" error?

    => Yes,

    cscript adsutil.vbs set w3svc/<SiteID>/securebindings ":443:www.test.com" ":443:test.com"

    It works with both the URLs, however you will get the above Security alert when you access it with test.com. It will work smoothly with http://www.test.com here.

    Hope that helps!

  75. Pablo says:

    I have one Host (IIS installed) , two Web Sites (www.site1.com , http://www.site2.com) and two different certificates (one for site1.com , one for site2.com).

    Can I install both certificates and assign  one for each site?

    ej: cscript.exe adsutil.vbs set /w3svc/1159510216/SecureBindings ":443:www.site1.com"

    set /w3svc/1159510217/SecureBindings ":443:www.site2.com"

    one of the documents I have read says: " If multiple SSL certificates are used, the server will usually encounter problems providing the correct SSL certificate when an HTTPS connection is established, causing a certificate name error when connecting. "

  76. Saur212 says:

    You will have to set the websites to run on different IP addresses or ports. You cannot have both of them running on the same combination of IP address/port. I am assuming the cert is not a wildcard cert here for the web sites.

  77. Matt says:

    Hello,

    I am running SBS2003 and would like to create a self-signed certificate with multiple common names.  We use owa.mydomain.com (which points to our IP address and through our firewall to our SBS2003) for e-mail access but have an internal .local domain.  Is it possible to create a single self-signed certificate with the following common names:

    owa.mydomain.com

    servername

    servername.mydomain.local (this is my FQDN)

    Any help would be greatly appreciated.  Thank you!

  78. Ben Taylor says:

    Just wanted to say thanks for the content and hosting this comment thread!  I have been struggling with "Invalid HostName" for the last hour which was all due to an incorrect secure binding.  

  79. visert says:

    Hi, maybe my question will be a out of topic, but can’t find right answer somewhere else.

    Can be possible that created certificate in Windows Server 2008 (web server template, cersion – V3) is not compatible with windows xp ?

  80. Saur212 says:

    I doubt there should be an issue. It should work in my opinion on Win XP. What exactly is the problem you see with the certificate on XP machine?

  81. visert says:

    1) I’m creating certificate using IIS7 installed on Windows Server 2008.

    2) Than I’m using Certification Authority to Issue the new certificate request and export certificate in binary data.

    3) Installing certificate on the server and it works properly, but when I’m trying to access the server from another machine, I’m installing the suggested certificate, putting it in trusted folder, add url in trusted web sites, but still get an error that certificate is incorrect. (I can see yellow warning triangle in certificate details in "Key usage" field).

  82. Saur212 says:

    When you see those yellow warnings do you see all the 3 warnings or some specific one. what does it say. You may contact me at xxxx@xxx and we can discuss more details if required.

  83. John says:

    I have one wildcard ssl installed *.site1.com and i wanted to add another *.site2.com.  both sites are on their own IP, and have their own host headers reports.site1.com and reports.site2.com.  I ran through all the steps in IIS 6 adding the wildcard cert and set the bindings using the same commands as above.  site1 i added a couple weeks ago and works perfectly, when i added site2 today, and went to https://reports.site2.com it gave me a big red error saying there was a domain name mismatch, so i looked at the cert it had and it was trying to use *.site1.com  even though i was going to a site2 subdomain.

    Can you use 2 wildcard certs in IIS6 win 2k3 R2 SP2?  if so, how do i get the site2 sites to use the site2 ssl?  i had assumed going to a site2 domain would just use the correct one.

    Thanks in advance, and great article.

    John

  84. Saur212 says:

    Hello John, can you crosscheck the securebindings property for your site using *.site2.com and see if it is properly set. We can use multiple Wild card certs as far as I can remember.

  85. Sarath says:

    Hi,

    I am getting error (cscript.exe is not a valid win32 application) when i am trying to execute the statement.

    cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:www.test.com"

    my environment:

     windows 2003 32bit os

     .net Framework 2.0

    Please let me know how this can be solved. Thanks in advance.

  86. Dima says:

    Hi,

    Summary:

    We have a wildcard certificate from *.site.com;

    We also have N sub-domains: a.site.com, b.site.com, c.site.com, etc.;

    All websites are hosted under one IIS 6.0 box on Windows Server 2003R2 SP2 and under one IP address;

    HTTP access is configured to use different port for each website: a.site.com:8080, b.site.com:8081, etc. Port mapping is managed by the server firewall;

    HTTPS access is configured to use port 433 and 'All unassigned' IP addresses for every site.

    We have carefully set up the host headers using "cscript.exe adsutil.vbs set…" commands.

    Problem:

    Everything (websites, APIs, etc) works fine, but SSLdiag utility warns me that SecureBindings conflict with each other (#WARNING: SecureBindings conflicts with other site). There are also rare error messages in event log like:

    Event Type: Error

    Event Source: W3SVC

    Event ID: 1113

    Description:

    One of the IP/Port combinations for site '2055529037' has already be configured to be used by another site.  The other site's SSL configuration will be used.

    Someone here mentioned that this is a legacy error – a heritage from old IIS5 which didn't support the host headers.

    Questions:

    1. Did we configure everything in a correct manner?

    2. Why do we get this error in event log? Why SSLDiag warns me about SecureBingings overlap?

    3. Are there any unknown risks of hosting all sub-domains on one and the same SSL port (443) fully relying on host headers?

    Any advice is very appreciated.

  87. Hi Dima,

    Could you provide more details. The reason I ask is because the error message you are getting is self explanatory.

    Looks like there is a site is which is using the combination you are using for wild card.

    Could you list out all the websites and their corresponding securebindings that you have set along with the certificate they are mapped to.

    have you missed mapping the hostname for a site which is using the wild card?

    Since someone mentioned that this issues was seen on IIS 5, I am wondering if the server is configured to run in IIS 5 classic mode? But I doubt this is the issue.

    Regards,

    Kaushal

  88. Saur212 says:

    Hello Dima,

    Are you able to browse to the SSL enabled sites without issues? I mean are you getting to the correct pages over SSL and without any SSL related warnings in the browser? If yes, then you can safely ignore this error as this (which you also noted) dates back to Pre-SP1 eras when wild card certs were not supported.

    To answer your questions:

    1. Yes, configuration looks good as long as you used the right commands.

    2. This error may be misleading and comes from Pre-SP1 days. SSLDiag might again be misleading but haven't tested it off late.

    Sorry i don't have the bandwidth to repro this and test it out as of now.

    3. No, there is no risk involved. It all depends upon your design requirement.

    Hope this helps.