Multiple SSL certificates to access one ASP.NET application in IIS

asp.net ssl iis

1
Hi,

I have an ASP.NET application that's currently accessible via a single domain name, with an SSL certificate. We'd like to be able to access the same application via a second domain name. The non-SSL part is easy, just set up a second host header value for the website in IIS. We know we'll need a second SSL certificate for the second domain, and of course a second IP address to run the two certificates in parallel - neither of those is a problem.

The problem is that IIS doesn't seem to let you set up ONE website that has TWO SSL certificates - it seems you can bind the one website to two SSL entries provided each has its own IP, but only using the same certificate.

We'd rather not have a second website entry in IIS because that would mean a complete second copy of the ASP.NET application running - i.e. double the memory usage. The two domains are basically country-specific variations, so we can't use a wildcard certificate with subdomains off a common domain name.

Is there any way to do this? Can IIS be configured to serve up two SSL certificates off one website entry (based on the IP address, of course)? Or is the best way to achieve this to set up a second website in IIS which reverse proxies onto the 'real' website?


Solution 1:

You shouldn't need a second IP address or a second website. All you need to do is get a new certificate issued for your existing site, with the addition of the "Subject Alternate Name" attribute defined. This will you to use the same SSL cert for multiple fully qualified domain names.

Solution 2:

You can't do that, a web site in IIS can only have one certificate assigned to it.

Your only option is defining two websites.

If you don't want to duplicate resource usage, you can put both applications in the same application pool.

Solution 3:

This is not an issue with IIS but with the secure layer:

When you connect to an HTTP server, your browser opens a TCP connection on the remote serveur and use it to request a document. The hostname you are requesting is send only a this moment. Thus the remote server knows which website you want only when he received this request (thank you Captain Obvious!)

Now if you add SSL, you must proceed to the certificate exchange/verification BEFORE sending the request. At this time, the webserver doesn't know which website (URL) you requested so it can't choose a certificate.

You will have to define a second website, with either an other IP or TCP port to do this.

Solution 4:

You could have a iis reverse proxy set up in front of your web site and create two rules to offload traffic from two different dns name.

(optionally, you can have all this on the same server , the proxy on front port 443 and your site on another port )

Then create an https binding for every dns name you have and don't forget to check "Require Server Name Indicaton"

Related

Apache fails to start with new ssl certificate
Using monit for a process that doesn't background/run as a daemon
System hangs while rebooting on Debian
Can I arrange an email to be sent when a drive is nearly full?
Is It Possible to set cpu affinity for particular user?
DNS wildcard entry doesn't resolve correctly (Microsoft DNS Server)
ARP responds with single MAC address on Linux server with multiple interfaces on the same network
Optimising MSSQL 2008 server inside VMWare ESXi
List users in all specified unix groups
Client Side certificate authentication failure
Any Problems with many NFS mounts?
How to bring another DC up with all roles when first DC is no longer available