2

We want two ssl sites on an IIS Server. I generated a self signed ssl certificate using IIS for https://Django.mycompanyname.com:443

However we also need https://site2.Django.mycompanyname.com:443 on the same server.

Is this possible without buying a wildcard ssl certificate?

yagmoth555
  • 17,059
user20338
  • 271

1 Answers1

2

Technically this is possible - it's called server name indication.

The first IIS version that supports this feature is IIS 8.0 (see here)

In your case you need to update your server to at least Server 2012 or use a reverse proxy that is capable to provide this.

I would recommend to use nginx as reverse proxy - this provides additional features like HTTP2 support and overall performance improvmenet of served content (nginx is doing some quite nice optimizations on transport as well)

To give a short explanation of what actually happens here:

When using SNI, the negotiation of the encrypted connection is modified in a manner, that the client sends the requested hostname at the very beginning of the connection - therefore older clients don't support this. Having the requested hostname received, the server can decide which certificate is handed to the client (when correctly set up the cert matches the requested hostname).

Having a server that doesn't provide this mechanism, there's only one certificate available per listener and this cert is handed out to any client that is connecting. Therefore a single endpoint (defined by IP:Port) can only respond with one certificate (and/or be bound to one hostname).

IIS7 doesn't provide SNI capabilities.

This leads to the requirement of either a certificate that contains all requested/served hostnames (which may not be possible due amount of hosts / different customers) or a unique binding (IP:Port) per offered SSL/TLS endpoint.

Daniel Nachtrub
  • 1,022
  • can I ask why iis7 doesn't allow you to change the hostname within the site bindings window when you're using SSL? – user20338 Mar 11 '16 at 13:10
  • Good explanation found in this earlier SF thread: http://serverfault.com/questions/96810/iis7-cant-set-host-name-on-site-with-ssl-cert-and-port-443 – vigilem Mar 11 '16 at 14:38
  • quoted - The short answer is that each IP can only have one certificate bound to it, so the certificate binding is going to apply no matter what hostname is directed to that IP address. Being able to specify a hostname would imply that you can have multiple hostname and certificate combinations on the same IP address and port (as you can with non-SSL entries), but this is not the case, so the field is unavailable. – vigilem Mar 11 '16 at 14:40
  • With that info, the best bet for this scenario may just be to use two IPs for this server... one IP for each site/certificate. – Dre Mar 12 '16 at 02:29
  • @Daniel when you say a certificate that "contains all the requested/served hostnames", does this mean in the certificate I would have to assign django.mycomanyname.com, site2.django.mycomany.com etc etc ? And is that why my college mensioned he managed to take down the entrie domain by trying to apply the certificate to a new umbraco site he had built. At which point I got very worried. – user20338 Mar 12 '16 at 12:14
  • Yes - it's a multi domain (UCC) certificate. Be aware that users can retrieve information about all domain names that are assigned to a cert (maybe you don't want users to see that there's another domain associated with the cert) – Daniel Nachtrub Mar 12 '16 at 12:17
  • I believe we use a wildcard certificate at the moment. The reason am posting here is am setting up a new test enviroment. However I will have to play with our LIVE server which uses the same certificate anyway. So if I was to release a new site, how would I assign the new subdomain to the certificate? – user20338 Mar 12 '16 at 12:30
  • You cannot add subdomains to existing certs. You need to request a new certificate that contains all required domain names. This is one of the reasons why UCC is not very handy. – Daniel Nachtrub Mar 12 '16 at 12:36