IIS7: How to bind SSL Certificate to Https Host Header?

I have the following Web Farm:

1. http: mydomain1.com port: 80
2. http: mydomain2.com port: 80
3. https: port: 443 SSL Certificate: myCertific开发者_运维知识库ate

In II7 when you select https binding, the host name will be disabled. I used the appcmd to bind the host name "admin.mydomain2.com" to the website.

appcmd set site /site.name:"admin" /+bindings.[protocol='https',bindingInformation='*:443:admin.mydomain2.com']

A new item was added to the bindings.

3. a. https: port: 443 SSL Certificate: myCertificate
   b. https: admin.mydomain2.com port:443 SSL Certificate: None

If for example I want to remove the first item (a), is it possible to assign a certificate to the second binding (b)?

Links as answers are not the best way to do it, because often those links go cold. Here's a summary of the answer posted above, along with supporting information from elsewhere.

When it comes to SSL, host headers are really left out in the cold. The purpose of SSL is to encrypt your traffic, and part of that traffic is the HTTP headers sent by the browser to the server. One of those headers would be the "Host" header which IIS uses to determine which site to load up with the request. Since the certificate needs to be loaded to establish the secure connection BEFORE the request headers are sent, IIS has to select the certificate based only upon the IP address and port number, thus rendering the host header useless. This, however, does not relieve us of having to comply with STIG v6724 as it relates to IIS Site configuration. So, instead of allowing you to enter the information even though it's useless, Microsoft attempts to out-wit you by not allowing you to enter it at all. There is, however, a way around this.

Please note that this answer assumes that your certificate has already been generated, added to the certificate store, and added to IIS. It also assumes you do not want any other bindings to your website besides the SSL one.

First, we need to gather some information. We need the hash, the application ID and the host name.

1. Open IIS, select your server and double click on "Server Certificates" in the bottom section. Note the "Issued To" address. This is our host name. Save this.
2. Select your site
3. Bind your site to port 80 using the http protocol
4. Remove all other bindings
5. Bind your site to port 443 using the https protocol

6. Open a command prompt

   netsh http show sslcert
   

7. Save the Certificate Hash and the Application ID

8. Remove the https binding on your site

9. At the command prompt:

   netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>}
   
   appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']
   

NOTE: Appcmd.exe can be found in c:\windows\system32\insetsrv. You may need to be in that folder for this command to work.

10. Remove the http binding from your site

NOTE: You can leave the http binding if you want to have your site auto-redirect to https, but that is another topic.

REM Solution to bind https for "Default Web Site" on IIS 7

cmd /c

pushd %systemroot%\System32\inetsrv

set sitename=Default Web Site

appcmd set site /site.name:"%sitename%" /+bindings.[protocol='https',bindingInformation='*:443:']


REM To assign ssl certificate to "Default Web Site" on IIS7
REM Go to inetmgr assign ssl certificate manually to the "Default Web Site" in Edit Bindings
REM Go to DOS command prompt use command (netsh http show sslcert) and get the Certificate Hash (certhash) and Application ID (appid) information
REM Execute the netsh command

netsh http add sslcert ipport=0.0.0.0:443 certhash=******** appid={********}

This blog post might help you. It got me to the point of having the host header defined in IIS and the correct SSL cert assigned to it, and while it worked fine locally if we pointed 127.0.0.1 to the site's address in the hosts file, it just timed out when put in production. Hopefully it'll get you a little further:

http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx

Remove all your bindings, assign the SSL cert with the command line, then add the SSL bindings with host header via the command line.