Bind multiple sites on same IP address and Port in SSL


 

Until IIS 7.5, the major limitation of IIS is that IIS will allow you to bind only one site for one IP: Port combination using an SSL certificate.  If you try to bind a second site on the IP address to the same certificate, IIS will give you an error when starting the site up stating that there is a conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address and port, we need to use a special mechanism. Before we go there let’s understand why it is not possible for IIS to allow the binding of multiple sites on same IP: Port combination using an SSL certificate.

Classic Chicken and Egg Problem

We know that IIS identifies a site using three piece of data:

1. IP-Address

2. Port

3. Host Header

You can have multiple HTTP site configured with different combination of above. The binding, for example 192.168.1.0:80 can be configured to site “MyServer1.com”. That means if I browse to IP-address 192.168.1.0 over port 80 then I will hit the site “MyServer1.com”. I can have the binding as 192.168.1.0:80:myserver2.com configured for site “MyServer2.com”. That means when I browse the site over IP-address 192.168.1.0 over port 80 with a host header as “myserver2.com” then I will hit the site MyServer2.com. This allows multiple DNS hostnames on a single server at the same IP address.

However this doesn’t work in HTTPS. To know why it doesn’t work in HTTPS lets understand the SSL handshake briefly.

1. Client – > (SSL Handshake) – > “ Hello, I support XYZ algorithm for encryption”

2. Server -> (SSL Handshake) -> “Hi there, Okay so here is my public certificate. Let’s use algorithm X”

3. Client -> (SSL Handshake)-> “Great we can use that”

4. Client -> (In Encrypted format)-> “HTTP Request”

5. Server -> (In Encrypted format)-> “HTTP Response”

<And now cycle continues>

Now let’s say hypothetically, you have set two sites on same IP-address and port and different host headers and you set two different certificates on both of them.

Look at the steps in SSL Handshake, Client sends the HTTP Request only in Step 4. That means Server doesn’t know what host header HTTP request is referring to until step 4. So at Step 2, Server has only IP-Address and Port information with it, so how can server figure out which certificate it needs to send to the Client as you have bind two certificates to same IP-Address and port.

When a request comes to HTTP.SYS layer, the HTTP.SYS reads the site configuration, including the certificate used to encrypt/decrypt the data. The host name is encrypted in SSL Blob that the client sends. However, IIS needs to know the host name in order to get the right certificate. Without the host name IIS cannot get to the correct site. As IIS is not able to get to the correct site so it cannot get the right certificate to decrypt the SSL blob to get the host name. This is the classic Chicken and Egg problem. We are turning into circles with no way out.

This is the precise reason; HTTP server can only allow one site per IP-Address: Port combination for HTTPS browsing. If you need to bind another site over HTTPS then you need to get either a different IP-Address or bind the site to a different port.

Sometimes getting a new IP-Address or port for each website becomes costly affair. So how we can attach two website to HTTPS over same IP: Port. There are two ways to do it in IIS7.

Wild Card Certificate.

A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you can get a certificate which is issued to *.mydomain.com. This certificate will secure www.mydomain.com, secure.mydomain.com, welcome.mydomain.com etc. Basically it will work on any subdomain that replaces the wildcard character (*).

Setting up the Wild Card Certificate

Step 1: Install the wildcard certificate.

Verify if the certificate is properly installed.

1. Select Start –> Run

2. Type in “MMC” and hit enter

3. From the console, select File –> Add / Remove Snap-in

4. Select Certificates from the Add / Remove dialog

5. Select Computer Account when prompt for which certificates the snap-in will manager.

6. Select Local Computer when prompted

7. Click OK to add the Snap-in to the MMC

8. Locate your SSL certificate

9. Right click on the certificate and select properties

10. You should see the * in the friendly name.

clip_image002

Once you have installed the certificate then the issued to should be the *.mydomain.com

clip_image004

Step 2: Setup the wildcard certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         www.myserver.com              10.0.1.1              80                  443
Test2                        test2.myserver.com               10.0.1.1              80                  443

Test3                        test3.myserver.com                10.0.1.1             80                  443

IIS6

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

To know how to bind the certificates in IIS6 please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https://test1.myserver.com, https://test2.myserver.com or https://test3.myserver.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type "cmd", and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings "*:443 :< host header>"

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings "10.0.0.1:443:test1.myserver.com"

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings "10.0.0.1:443:test2.myserver.com"

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings "10.0.0.1:443:test3.myserver.com"

clip_image007

You can also change this by changing the metabase.xml for that particular site.

For Example your site id is 1 then you would see following in the Metabase.xml

<IIsWebServer Location ="/LM/W3SVC/1"

AuthFlags="0"

SSLCertHash="ee6c56aaacd9e52137ccd4563131c35bdb020712"

SSLStoreName="MY"

SecureBindings=":443:"

ServerAutoStart="TRUE"

ServerBindings=":80:"

ServerComment="ssltest">

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location ="/LM/W3SVC/1"

AuthFlags="0"

SSLCertHash="ee6c56aaacd9e52137ccd4563131c35bdb020712"

SSLStoreName="MY"

SecureBindings=":443:www.test.com"

ServerAutoStart="TRUE"

ServerBindings=":80:"

ServerComment="ssltest">

IIS7

In IIS7, attaching a wild card certificate is much easier. You can attach the certificate to the website you need to attach to. The moment you select the wildcard certificate the hostname field in the UI will be enabled. You can type the host header in it. You can do the same procedure for multiple sites.

clip_image009

How Wild Card Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (wildcard certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that wildcard certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of Wild Card Certificate.

There are certain limitations of wild card certificate.

1) It can only be applicable to single level of subdomain. For example you got a wild cart certificate for *.mydomain.com then you can bind this certificate to sites such as site1.mydomain.com or site2.mydomain.com. However, you cannot bind the wildcard certificate to Site1.myexample.mydomain.com or Site1.example2.mydomain.com or xyz.abc.mydomain.com etc.

That means the wild cart certificate will work only till first level of subdomain.

2) The wild card certificate will work only if the site has same domain name. That means if you have certificate for *.mydomain.com then you cannot bind this certificate to sites such as www.example.com or www.mydomain2.com etc. Wild card certificate will work only for sites which have same domain name.

3) You can set the wildcard certificate only for one top level domain. For example you can bind a wild card certificate for www.test1.myserver.com or www.test2.myserver.com, but you cannot bind the same certificate for hostheader www.test2.myserver.org or www.test2.myserver.net etc.

SAN Certificate (Subject Alternative Name Certificate)

You can setup the wildcard certificate if the domain name for all the sites are same and first level subdomain changes. What if you want to set up the sites which should work on two different domain names, for example, a site with host header as www.testserver1.com and another site with hostheader as www.testserver2.com. In this case Wildcard certificate won’t help you. To resolve this issue we have SAN Certificate.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for myserver.com, and then add more SAN values to have the same certificate protect myserver.org, myserver.net and even myserver2.com or www.example.com.

You can see the domain names in the Subject Alternative Name option in the Certificate

clip_image011

clip_image012

Setup the SAN certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         www.test.edu               10.0.1.1              80                  443
Test2                        www.test.com               10.0.1.1              80                  443

Test3                    www.test.testing.com 10.0.1.1             80                  443

IIS 6

You need to select the SAN certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, www.test.com, www.test.testing.com then you cannot bind this certificate to a site with hostheader say www.example.com.

To know how to bind the certificates please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https:// www.test.edu, https://www.test.com or https://www.test.testing.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005[1]

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type "cmd", and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings "*:443 :< host header>"

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings "10.0.0.1:443:www.test.edu"

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings "10.0.0.1:443:www.test.com"

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings "10.0.0.1:443:www.test.testing.com"

clip_image013

You can also change this by changing the metabase.xml for that particular site

<IIsWebServer Location ="/LM/W3SVC/1"

AuthFlags="0"

SSLCertHash="ee6c56aaacd9e52137ccd4563131c35bdb020712"

SSLStoreName="MY"

SecureBindings=":443:"

ServerAutoStart="TRUE"

ServerBindings=":80:"

ServerComment="ssltest">

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location ="/LM/W3SVC/1"

AuthFlags="0"

SSLCertHash="ee6c56aaacd9e52137ccd4563131c35bdb020712"

SSLStoreName="MY"

SecureBindings=":443:www.test.com"

ServerAutoStart="TRUE"

ServerBindings=":80:"

ServerComment="ssltest">

clip_image015

IIS7

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, www.test.com, www.test.testing.com then you cannot bind this certificate to a site with hostheader say www.example.com.

To know how to bind the certificates in IIS7 please follow the following link

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

To configure the SAN certificate you need to run the below command after changing the website name, ip-address and port and the host header value.

Go to Start Menu, click Run, type "cmd", and then click OK.

Go to the location “C:\Windows\System32\inetsrv”

Type the following command at the command prompt:

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

For example

appcmd set site /site.name:"Test1" /+bindings.[protocol=’https’,bindingInformation=’*:443:www.test.edu’]

appcmd set site /site.name:"Test2" /+bindings.[protocol=’https’,bindingInformation=’*:443:www.test.com’]

appcmd set site /site.name:"Test3" /+bindings.[protocol=’https’,bindingInformation=’*:443:www.test.testing.com’]

clip_image017

Alternatively you can go to the applicationhost.config and modify the binding part of the website to add the host header. Do this for all the three sites. For example

<site name="TestSite" id="2" >

<application path="/" applicationPool="TestSite">

<virtualDirectory path="/" physicalPath="C:\Publish" />

</application>

<bindings>

<binding protocol="http" bindingInformation="*:8089:TestSite" />

<binding protocol="https" bindingInformation="*:443:TestSite" />

</bindings>

</site>

clip_image019

How SAN Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (SAN certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that SAN certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of SAN Certificate.

There are certain limitations of SAN certificate.

1) One major limitation of SAN certificate is if you have issued the SAN certificate for say two host-headers www.test1.com and www.test2.edu but you need to setup a site for www.test3.net using the same certificate then you can’t use it. You need to get another SAN certificate from the CA with all the three host-headers. In short, for every addition of a host-header you need to get another SAN certificate.

2) There are certain limitations which are defined by the CA on the number of host-header you can add to the Certificate. That means, after a certain number of host-header you cannot add further host-header into it.

 

Server Name Indication in IIS8

 

IIS8 has a new functionality called Server Name Indication (SNI) to overcome this problem. To know more about SNI please follow the following links

http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx


Comments (18)

  1. kevin says:

    really helpful. thanks for writing this

  2. Asprangers.com says:

    Thanks for the details. Keep on writing more

    Jas

  3. az says:

    Absolutely the best howto for that issue!!!

  4. Patrick says:

    Agree with Az, this issue has annoyed me a while ago, before anyone else did write such a well explained article.

    A pity it didn't exist back at that time.

    Thanks!

  5. Dragan says:

    This is by far most clear explanation of the problem as well as the solutions to it. Thanks!

  6. pallav agarwal says:

    Its Awesome.I have figured out a lot of problems

  7. Keshav Fulpagare says:

    By using SAN certificate for below 2 host names on a server

    1. abc.xyz.com

    2. pqr.lmn.com

    can we add 2 https bindings on a site with same certificate but different host header information?

  8. Sreerag says:

    Hi, in the initial stage where you have given the explanation of using single IP for two different server, and I guess you have use the same port 80 for both the server, I think we have to use two different ports to map to same WAN ip address.. Am I correct?

  9. paul says:

    best info ever no one else has this info for iis how did oyu get it? thanks a ton!!!!!!!!

  10. Jean says:

    Thank you so very much for explaining how to solve this issue.

  11. David says:

    I think I'm missing something in the "chicken and egg" explanation at the top of this article. At step 1, the client connection happens before the traffic gets encrypted. Correct me if I'm wrong but, to my mind, this should mean that the host header that is sent by the client at this step should be available to the web server so it can easily find which certificate should be used for SSL. If this is the case, all sites should then be able to use the same IP address and port combination. Can you please let me know what I'm missing?

  12. Varun says:

    Hello David,

    In IIS 7 , When the Client send Hello msg it will just send the IP Address and Port. It won't send the Host header.  Actually I would say, Client was still sending the Server Name but IIS 7 was not using it.

    This issue has been rectified in IIS 8, That's why SNI (Server name indication) came into the picture.

  13. Mark says:

    How about the situation where I have 1 ip, 2 web sites, and I want one to be http (port 80) and the other https (443)?  Do I need to get another ip address?

  14. Tim B. says:

    Varun, a fantastic article!!! One issue with the text in the very beginning is that "Until IIS 7.5" this problem existed, so it implies that in version 7.5 it has been rectified. It took me awhile to realize that it is not the case until version 8. So, may I suggest changing the text to remove the ambiguity like so: "Through IIS 7.5"?

    Regardless, Thanks a lot!

  15. Angelus Sunith says:

    Hi

    I'm using IIS for hosting my site in my own webserver at home.

    I used no-ip and DUP for creating domain name to point my server. Its working fine.

    Now i want to add two more sites on the same server.

    and give them different domain name.

    The site i created is "angelussunith.servemp3.com"

    and new one may be

    1.sunith35.servemp3.com

    2.angelus.servemp3.com

    so how is it possible to create these sites on the same server.

    Please help.

    Thanks in Advance.

  16. Steve says:

    Having tried doing this both ways, it still refuses to work.

    I'm actually using the SAN values to manage what would normally be a wildcard certificate.

    All I get with starting the second site is that the 443 port is already in use!

    Site 1 has 80 and 443  Site 2 does not have 80 but does have 443. is there anything in that?

  17. William says:

    I'm having a problem with our wild card cert binding getting unbound when we are unbinding one of the sites that shares this cert. It seems that all or some of the other sites gets unbound.

    Is there an easy way to prevent this from happening in IIS7/7.5? OR a way of detecting it? OR a way of re-binding all of the sites programmatically?

  18. Sachin says:

    Thanks, this article is really helpful

Skip to main content