SelfSSL issue - 2 secure sites running on same box with selfssl certificates

I'm pulling my hair out a little bit over an issue we're having on one of our project environment servers. I'm trying to run 2 different versions of our site, from 2 different code bases. The site has a secure and a non secure area.

I can, as expected, create as many non secure sites as I wish.

The problem I'm having is that I can't seem to get the two secure sites to each co-exist on the same box.

I have created certificates using SelfSSL for each site. Each site, as you'd expect is on its own port, 443 and 444 respectively.

I'm finding that once I've got secure site A ru开发者_C百科nning then secure site B stops working, despite having its own certificate. then when I fix site B, site A stops working.

Any suggestions?

An example of my SelfSSL command used is here:

C:\Program Files\IIS Resources\SelfSSL>selfssl /T /V:600 /S:162950877 /P:444 /N:
CN=SITEREFRESH

The server is running Windows Server 2003 so I think will be IIS5

Ben

I know this is an old question, but I found myself having the same trouble not too long ago and I thought I'd post how I solved the issue. To begin with, this is a very old issue: https://blogs.msdn.microsoft.com/david.wang/2005/04/20/bug-selfssl-allows-only-one-website-to-have-ssl-at-a-time/

After a bunch of trial and error, it seems like if the bindings already exist before you run selfssl then the certificates will work on those bindings. For example:

appcmd set site "[site-name]" /+bindings.[protocol='https',bindingInformation='*:44302:']
selfssl /N:CN="[cert name]" /S:[site_id] /P:44302 /Q /T

appcmd set site "[other-site-name]" /+bindings.[protocol='https',bindingInformation='*:44301:']
selfssl /N:CN="[other cert name]" /S:[site_id] /P:44301 /Q /T

This will create two bindings on different sites that both work (https://[site-name]:44301 and https://[other-site-name]:44302). It looks like selfssl won't make and sign multiple bindings, it will only sign multiple bindings.

PS. See the appcmd docs for more information if you want to know more about that tool.

Why not re-use the same certificate on both sites? Any SSL certificate is meant to identify a host (server), not sub-instances of a server that run on different ports (but the same hostname/FQDN).

It's entirely likely that IIS is seeing a collision between the same identity being used in two different certificates, and refuses to leave both sites running that attest to the same identity with different certs. Under production circumstances, this could be thought of as an attempt to spoof the server's identity with another cert, which would cause security geeks to shudder and run screaming from the room.

see.... http://www.eggheadcafe.com/software/aspnet/34129057/iis6-multiple-web-sites-with-ssl-differentiate-by-host-header.aspx

..for possible fix