Back to top

Setting Up a Wildcard Certificate for Multiple Sites in IIS 7

image_not_found

Setting Up a Wildcard Certificate for Multiple Sites in IIS 7

You may have come across this before, I know I have…. you have a server running IIS 7 (for example on Windows 2008 R2, which is what my server is), and you want to add multiple sites with certificates without using a unique IP address for each one.

In later versions of IIS such as version 8, you can use Server Name Indication (SNI) right there in the GUI to set the host name to use when someone connects using https. This allows the server to use the same IP address and port (typically 443) for multiple certificates.

In IIS 7, however, this option isn’t available. Now for one client site here and one client site there, that’s not so bad as I’ve just bought a new IP adddress for each one, but I’ve just had to solve this issue for a wildcard certificate where the client had 5 sites and we didn’t have easy access to a massive pool of IP addresses (or time to set them up), and found a nice little workaround that I thought I’d document here….

It turns out that provided you use the format “*.blah.com” for the Friendly Name of your certificate, IIS will allow you to set the hostname for https.

Changing the Certificate Friendly Name

If you have already set the certificate’s friendly name to something else (like I had), you can change it via the Microsoft Management Console (MMC):

  1. On the Windows Server computer, click Start and type mmc.exe.
  2. In the MMC window, go to File > Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins window, select Certificates and click Add.
  4. In the Certificates snap-in window, select Computer account, click Next, select Local computer, and click Finish.
  5. In the Add or Remove snap-in window, click OK.
  6. Navigate through the tree to Certificates > Personal > Certificates
  7. Find your wildcard certificate, right click and select Properties.
  8. Set the Friendly Name to whatever you want it to be, and click OK.

Setting friendly name for certificate in MMC

Now return to IIS, select your site, go to Bindings, and select Add, and when you choose https and select the wildcard certificate, the Host name field will become editable.

Selecting host name for https binding in IIS

I did read in a discussion online that using the command line should work as a workaround, as well, such as running the following:

appcmd set site /site.name:"<SiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<HostHeaderValue>']

replacing **** with the name of the IIS site and **** with the host header for that site (e.g. subdomain.mydomain.com).

However I found that even by doing this, IIS wasn’t respecting the binding, and I received errors on trying to load the page. Once the wildcard name was setup as the friendly name on the certificate, it was OK - so at least that’s a quick way of adding https bindings for multiple sites if you have a few.