IIS 7.5 - can't configure two SSL Certificates under one IP-adress?
We're setting up HTTPS for all our websites. Unfortunately I'm not really experienced in IIS.
I have two certificates, one is a EV-UCC-Certificate with 10 subdomains included. the subdomains are from two different domains like this:
shop.abcdomain.com
www.xzydomain.com
I also have a wildcard certificate for one of those domains *.abcdomain.com
both domains run on the same IIS Server under the same IP Adress.
When I assign the wildcard certificate to some of my sites, everything works fine but when I then want to assign the EV-UCC certificate to another site which is in the same "sites" collection in IIS, I get the following error
At least one other site is using the same HTTPS binding and the binding is configured with a different certificate
I'm a little confused by this. Why can't I assign two different certificates on the same IIS? Can only be one SSL-Certificate on an IIS? If so, is there a workaround to make IIS think he can carry two SSL certificates?
I'm running IIS 7.5 on Windows Server 2008 R2
Originally, only one SSL certificate can be assigned to the same IP/Port combination. This is because host header is encrypted and HTTP layer cannot guess which host is requested and which certificate should be presented to client.
If so, is there a workaround to make IIS think he can carry two SSL certificates?
No, there are no workarounds in Windows Server 2008 R2. However, starting with Windows Server 2012 (IIS8) there is a way to bind multiple certificates to the same IP/Port combination by using Server Name Indication (SNI) TLS extension. Unlike in original SSL/TLS, SNI uses unencrypted host header. IIS versions prior to IIS8 don't support unencrypted headers. More reading: https://docs.microsoft.com/en-us/archive/blogs/kaushal/server-name-indication-sni-with-iis-8-windows-server-2012
Alternatively, you can bind your services to different TCP ports and assign certificates to each port.