Geek Answers Handbook

IIS7: how to associate an SSL certificate with an Https host header?

I have the following web farm:

1. http: mydomain1.com port: 80 2. http: mydomain2.com port: 80 3. https: port: 443 SSL Certificate: myCertificate

In II7, when you select the https binding, the host name will be disabled. I used appcmd to bind the hostname "admin.mydomain2.com" to the site.

 appcmd set site /site.name:"admin" /+bindings.[protocol='https',bindingInformation='*:443:admin.mydomain2.com']
appcmd set site /site.name:"admin" /+bindings.[protocol='https',bindingInformation='*:443:admin.mydomain2.com']

A new item has been added to the binding.

 3. a. https: port: 443 SSL Certificate: myCertificate b. https: admin.mydomain2.com port:443 SSL Certificate: None

If, for example, I want to remove the first element (a), can I assign a certificate to the second binding (b)?

+4
source share
2 answers

Links as answers are not the best way to do this, because often these links become cold. Here is a summary of the answer posted above, as well as supporting information from other sources.

When it comes to SSL, host headers really remain in the cold. The purpose of SSL is to encrypt your traffic, and HTTP headers sent by the browser to the server are part of this traffic. One of these headers will be the Host header, which IIS uses to determine which site is loading with the request. Because the certificate must be downloaded to establish a secure connection before request headers are sent, IIS must select a certificate based only on the IP address and port number, thereby rendering the host header output useless. This, however, does not relieve us of the need to comply with STIG v6724, as it relates to the configuration of the IIS site. Thus, instead of allowing you to enter information, even if it is useless, Microsoft is trying to get rid of you by not allowing you to enter it at all. However, there is a way around this.

Note that this answer assumes that your certificate has already been created, added to the certificate store, and added to IIS. It also assumes that you do not need bindings to your site other than SSL.

First, we need to collect some information. We need a hash, an application identifier, and a host name.

  • Open IIS, select your server, and double-click "Server Certificates" at the bottom. Pay attention to the "Issued" address. This is the name of our host. Save it.
  • Choose your site
  • Link your site to port 80 using the http protocol
  • Delete all other bindings
  • Link your site to port 443 using the https protocol

  • Open command prompt

     netsh http show sslcert

  • Save certificate hash and application identifier

  • Remove the https binding on your site.

  • At the command line:

     netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>} appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']

NOTE. Appcmd.exe can be found in the c: \ windows \ system32 \ insetsrv directory. You may need to be in this folder for this command to work.

  1. Remove the http binding from your site.

NOTE. You can leave the http binding if you want your site to be automatically redirected to https, but this is another topic.

+2
source

This blog post can help you. This allowed me to determine the host header defined in IIS and the correct SSL certificate assigned to it, and although it worked fine locally, if we pointed out 127.0.0.1 to the site address in the hosts file, it just turned off when it was installed in production . Hope this helps you a bit:

http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx

Remove all bindings, assign an SSL certificate on the command line, and then add SSL bindings with the host header through the command line.

-1
source

More articles:


All Articles