All geek questions in one place

How do I configure SSL for an IIS Express site that uses multiple host names?

My web application project includes several websites hosted by a single IIS Express site. I managed to outperform Scott Hanzelman's excellent blog post and IIS Express successfully runs both http: //foo.local and http: //bar.local from the same root directory of the web application.

However, I need both sites to support SSL. Following the advice of Hanselman, I can create an SSL certificate and "attach" it to one combination of IP ports.

makecert -r -pe -n "CN=foo.local" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 netsh http add sslcert ipport=0.0.0.0:443 appid='{214124cd-d05b-4309-9af9-9caa44b2b74b}' certhash=284475d4a4eb5c4d3ab7da4fdefa928186482376

It succeeds, but I cannot repeat the process for the second site. Obviously, only one SSL certificate can be applied to one combination of IP ports.

How can I make an SSL certificate that covers both https: //foo.local and https: //bar.local or otherwise "attach" one for each site?

+6
source share
2 answers
The answer to this question led me in the right direction. Beyond Hanselman instructions , thatโ€™s what I had to do.

First of all, I included SNI in the binding of my site in the IIS Express application applicationhosts.config. This meant adding the sslFlags attribute:

 <binding protocol="https" bindingInformation="*:443:foo.local" sslFlags="1" /> <binding protocol="https" bindingInformation="*:443:bar.local" sslFlags="1" />

(credit: Configuring SNI on IIS8? )

Then, instead of using makecert I created a self-signed certificate using the PowerShell New-SelfSignedCertificate :

 New-SelfSignedCertificate -DnsName foo.local, bar.local -CertStoreLocation cert:\LocalMachine\My

(credit: How to create a self-signed SAN certificate in Windows 8 )

In addition, I followed Hanselman's instructions to use netsh http add sslcert... to "register" a certificate for an IP port and to use the MMC Certificates snap-in to make it reliable.

+8
source

Obviously, only one SSL certificate can be applied to one combination of IP ports ...

Multiple certificates require IIS 8 or higher. IIS 8 supports Server Name Specification (SNI). See Server Names (SNIs) with IIS 8 (Windows Server 2012) .

How can I make an SSL certificate that covers both https://foo.local and https://bar.local ...

Create one certificate. In the certificate, specify both names in the Subject Alternate Name (SAN). Put a friendly name on CN.

CN must be a friendly name because:

  • IETF does not recommend placing DNS name in CN
  • CA / Browser forums are deprecated by specifying a DNS name in CN
  • CNs are often displayed to users, so they should be friendly

... or else "attach" one for each site?

Upgrade to IIS 8 or Server 2012.

Following Hanselmanโ€™s advice ... makecert -r -pe -n "CN=foo.local"

His advice is wrong here.

+1
source

Source: https://habr.com/ru/post/973067/

More articles:


All Articles