Wildcard SSL certificate in IIS 6.0, Windows 2003 Sp1 and above
Here I will be talking about configuring SSL wildcard certificates in IIS 6.0 on Win2k3 SP1 and above.
You may have a scenario wherein you want to have the same certificate installed for multiple Websites. Now in a normal scenarios this is not possible.
What I mean is you cannot have the same certificate installed on multiple Websites. To achieve a similar functionality you need to get a wildcard certificate from a Certificate Authority.
A wildcard certificate can be applied when you have the same end-domain name for all your Websites wherein you want to install the certificate.
Let's say you have Websites like www.test.com, mail.test.com and hrweb.test.com. Here the same end-domain name is present which is test.com.
Also remember that you can install the certificate for all such Websites when all of them are running under the same IP/Port combination. Here host headers will be the identifying criteria for Websites.
So let's say you have the following configuration:
WebSite Host Header Value IP Address Port SSL Port
Test1 www.test.com 10.0.1.1 80 443
Test2 mail.test.com 10.0.1.1 80 443
Test3 hrweb.test.com 10.0.1.1 80 443
and you want to use the same certificate for all the above Websites, Wildcard certificate is a viable option.
Here are the steps to obtain a wildcard certificate through IIS manager:
-In IIS Manager, expand the local computer, and then expand the Web Sites folder.
-Right-click the Web site for which you want to obtain a wildcard server certificate, and then click on Properties.
-On the Directory Security tab, under Secure communications Button, click Server Certificate.
-In the Web Server Certificate Wizard, click Create a new certificate.
-Follow the Web Server Certificate Wizard, which will guide you through the process of requesting a new server certificate. You can have any name in the Wizard which shows Name and Security Settings. On the 'Your Site's Common Name' page, type a name in the Common name box, using the following format:
*.<sitename> for example, *.test.com (as in our scenario).
By default, the certificate request file is saved as C:\Certreq.txt, but the wizard allows you to specify a different location of your choice.
-Click Finish to complete the wizard.
After you receive the wildcard server certificate from the Certification Authority, assign the same certificate on all Web sites that have the same IP/port binding and are distinguished only by the host header name.
Here is a Screenshot of the wildcard certificate that we got for our *.test.com sites.
Now at this point if you try to access any of the Websites you will see that all of the HTTPS responses come from one specific site.
You won't get the corresponding web pages from different Websites depending upon the site in URL. You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding (without of course some extra settings). If you try to start the other Websites you may see something like this below:
Now, the next most important thing is to follow the script below:
Go to Start Menu, click Run, type "cmd", and then click OK.
Type the following command at the command prompt:
C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>" <--- [It's not case sensitive]
where host header is the host header for the Web site, for example, www.test.com or mail.test.com.
C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:www.test.com"
C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings ":443:mail.test.com"
C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings ":443:hrweb.test.com"
Now once we have these settings in place for the Websites you should be able to browse to the Websites. You will also be able to start all the Websites without any issues.
Ensure that you do not modify any of the SSL related settings in the IIS manager like host header etc. after doing the changes in the metabase.
Finally have SSLDiag handy in case you get into issues for any general SSL related troubleshooting :-)