Using Host Headers and SSL in IIS 7 (without the ugliness of appcmd)

Microsoft SharePoint is an amazing tool for collaboration and information sharing.  At AIS, we make extensive use of SharePoint portals to serve up a variety of informational goodies.

For those of us using SharePoint, we love the support for sub-domains for each SharePoint Web Application.  It is very common to see SharePoint URLs such as

http://hr.mycompany.com

http://development.mycompany.com

http://portal.mycompany.com

Using Host Headers in IIS, implementing SharePoint Web Applications on a single IIS server using a single IP is a trivial mater.  So trivial that the SharePoint Application Management wizard sets it all up for you!

Trivial; until you start to see sub-domains such as

http://payroll.mycompany.com

http://secure.mycompany.com

For secure data, such as payroll, most companies will start thinking about SSL to encrypt the data between the server and the browser.  And so begins the trouble.

 

IIS, by default, only supports binding of an SSL certificate to ONE SharePoint web application (or any website on the server).  Under default conditions, you must choose between securing the payroll or the secure site using SSL.  You cannot bind the SSL certificates to both.

Of course, there are several well documented methods for binding SSL certificate(s) to multiple host headers.  The problem is they require using the arcane command line function appcmd.  Doable, but not trivial.

 

Fear not, there is an easier way!

 

IIS 7 supports what appears to be an undocumented feature for SSL and Host Headers.  You simply preface the SSL certificate’s friendly name with an asterisk.

 

Here is how you do it:

Assumptions

  • You have a valid SSL certificate already installed on your IIS server
  • The SSL certificate matches your sub-domain URL
  • You have access to the IIS Manager
  • Coffee is brewing, ready to go when you are done

Instructions

  1. Open Internet Information Services (IIS) Manager
  2. Edit the Site Bindings for the website you which to assign an SSL certificate to
    (right click, select Edit Bindings
  3. Select the HTTPS port and select Edit
  4. Note that the Host Name (Host Header) field is unavailable for editingimage 
  5. Launch the Microsoft Management Console (MMC)
    1. Select Start –> Run
    2. Type in “MMC” and hit enter
    3. From the console, select File –> Add / Remove Snap-in
    4. Select Certificates from the Add / Remove dialog
    5. Select Computer Account when prompt for which certificates the snap-in will manager.
    6. Select Local Computer when prompted
    7. Click OK to add the Snap-in to the MMC
  6. Locate your SSL certificate
    1. For self-signed (SELFSSL), look in Personal
    2. For installed / purchased, look in the appropriate folder the certificate was originally installed in
  7. Right click on the certificate and select properties
  8. Edit the Friendly Name field so the name starts with an *
    image 
  9. Repeat steps #1 – 3 above
    Note that the Host Name (Host Header) field is now available for editing
    image

 

Happy Bindings!

(Coffee Time)

37 thoughts on “Using Host Headers and SSL in IIS 7 (without the ugliness of appcmd)

  1. Pingback: Tin Isles : Subject Alternative Names for SSL

  2. Pingback: TechNullogy » SSL Host Headers in IIS7 WITHOUT appcmd

  3. Mike

    You are a god! I was pulling my hair out for the last hour trying to figure this out. I was creating the cert w/ a wild card in the common name and not the friendly name.

    Thanks a bunch!

  4. Josh M.

    Great solution! I still think it’s strange behavior from IIS, though. Thanks for the information.

  5. Pingback: How to configure/import SAN certificate in IIS 7.x? « TechOnTip Weblog

  6. Alex F

    You Sir, are a Saint. I was under tons of pressure to get this fixed and was stressing out (boss getting anxious). You have allowed me to accomplish my task, sip on my coffee, and surf Slashdot for the rest of the evening. :-)

  7. Pingback: Maximilian Krauß | Gewusst wie: IIS 7 und Wildcard SSL Zertifikate

  8. Ank

    This was a life saver. Found it and is very useful documentation. Microsoft should make sure that this gets documented and published and provide a link to this website as an acknowledgement if not reward.

  9. Ank

    Suggestion though it might be too late, please correct the text “SLL” to “SSL” in the article’s title.

  10. ArmgaSys Post author

    Ank,
    Thank you for the heads up on our spelling faux pas. Over one year has passed since the articles original publication and you are the only person (that we know of) who has caught the error (ourselves included). The error has been fixed!

    Signed: Embarrassed editorial staff who are overly reliant on F7

  11. Dave

    Hi I am experiencing a problem. I had a https site running under my IIS. The root was the name of my computer. I used above method to rename my site. the name of the certificate and the name of my site match, but I am not able to access the webservice anymore. if I want to open the webservice in a browser. The browser asks for a certificate. After installing the client certificate I get the following message:

    403 – Forbidden: Access is denied.

    You do not have permission to view this directory or page using the credentials that you supplied.

    Did anybody encounter the same problem, and more importantly does anyone have an solution?

  12. MAS

    Excellent!
    As for everyone else here, was struggling with a different “solution” to the appCMD (not that I mind working from the command line, just that it’s inconvenient for something like this).
    Worked great and solved my problem!

  13. Mark

    Excellent tip! I stumbled upon this but couldn’t figure out how to replicate it on another server. Changed the friendly name on the cert and it worked perfectly.

  14. Alexandre S

    This is really uncrediable. I think this is a bug of IIS, where the “Friendly Name” field was checked instead of the “Object” field.
    Could explain why all of this is working wrong or with ugly command lines …
    thank you !!!

  15. Konstantin

    This is simply amazing! I was struggling with workarounds for this problem for quite some time. Thanks a lot!

  16. Chris Means

    Been looking for a way to do this for a long time (appcmd wasn’t working for us).

    Pity I hadn’t found this article earlier (probably because I thought it was SharePoint specific).

    Thanks!

  17. Chris Means

    Ooops, spoke too soon. Though the change to the friendly name works for 1 certificate on one site, if we try the same thing on another site (on the same server) with a different certificate, we run into the exact same problem…it sees that the binding is already in use, and it changes the first site’s associated certificate to the new one.

    Any idea how to get around this? 2 different domains, 2 different sites, 2 different SSL certificates, but HTTP & HTTPS binding required.

    Our current approach is to assign a different IP to each domain, thus allowing us to simply bind to the IP address, but we’d like to avoid having to do that for each site.

  18. ArmgaSys Post author

    Chris,

    The solution we present only works for a single certificate. It works because the stream is decrypted by a known certificate which exposes the URL for host header processing.

    In a scenario where more than one certificate is used, the URL is unknown (or more specifically, encrypted) which prevents host headers from working. Therefore, you cannot use host headers to select the certificate to perform the decryption step (the classic chicken and egg).

    If multiple certificates are required, the only solution we are aware of is to map a certificate to an IP address.

  19. Thom

    I work for a cloud services group that hosts a client who recently expanded their operations globally. As part of that expansion, they needed to add a sub-domain for each and every country in which they did business. Had I not seen this article in my research, I was doomed to write a verrrrrrrrrrry long appCMD script long hand.

    I thank you for the many, many hours of my weekend you just gave back to me. :)

    Sincere thanks,
    ~Thom

  20. Emrah

    Great! I’ve never seen anywhere that mentions friendly name begin with *. Definetely you solved my problem, appreciate it, thanks so much!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>