IIS7: can't set host name on site with SSL cert and port 443

Consider a Win 2008 SP2 machine with IIS7. The task is to apply a certificate and host name to the one and only Site on this machine. The site's host headers need to be abc.123.example.com

The first step was installing the .pfx to the Personal Store, which was successful.

IIS7 finds the cert as available, but won't allow the entry of a host name. The host name textbox is ALWAYS disabled/greyed out, even before selecting my cert. I've even deleted the default port 80 binding.

Site Bindings

Question: how can I set a host name for this site? Is it a matter of this cert being a wildcard cert? I understand that the SSL request comes into the web server, and the host header in the packet is encrypted. Why then would IIS6 allow the host header to be specified, but IIS7 not?

Update: The cert isn't part of the problem. I've created a new Site on the machine, and when choosing https binding, the host name textbox is disabled.


Solution 1:

You can't do it from the UI, you have to do it from the command line. Here's a nice walk through of the process:

http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

Solution 2:

Its does work in GUI...

Just make sure the the 'friendly name' of the cert you are installing is the same as the multidomainname you have made for the cert.

ie. *.companydomain.com

if you put in 'Nice friendly name' for *.companydoman.com cert, when installing the cert into IIS, it will grey out the host name header box.

If you use *.companyname.com as the friendly name, you're golden.

Boom.

Solution 3:

The short answer is that each IP can only have one certificate bound to it, so the certificate binding is going to apply no matter what hostname is directed to that IP address. Being able to specify a hostname would imply that you can have multiple hostname and certificate combinations on the same IP address and port (as you can with non-SSL entries), but this is not the case, so the field is unavailable.

The more complete explanation is that SSL encrypts your traffic, and part of that traffic is the HTTP headers sent by the browser to the server. One of those headers would be the "Host" header which IIS uses to determine which site to load up with the request. Since the certificate needs to be loaded to establish the secure connection BEFORE the request headers are sent, IIS has to select the certificate based only upon the IP address and port number, leaving the "Host" header out in the cold as a factor in determining which site to load, so they don't let you enter one.

Here is an article which outlines the inner workings of the SSL connection in finer detail.

Solution 4:

The SSLShopper answer did not work for me because it left the binding without the host header, and you couldn't remove that binding without breaking the connection to the certificate. Here is the method I used to get it to work:

Please note that this answer assumes that your certificate has already been generated, added to the certificate store, and added to IIS. It also assumes you do not want any other bindings to your website besides the SSL one.

First, we need to gather some information. We need the hash, the application ID and the host name.

Steps

  1. Open IIS, select your server and double click on "Server Certificates" in the bottom section. Note the "Issued To" address. This is our host name. Save this.
  2. Select your site
  3. Bind your site to port 80 using the http protocol
  4. Remove all other bindings
  5. Bind your site to port 443 using the https protocol
  6. Open a command prompt

    netsh http show sslcert
    
  7. Save the Certificate Hash and the Application ID

  8. Remove the https binding on your site
  9. At the command prompt:

    netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>}
    
    appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']
    

Note: Appcmd.exe can be found in C:\Windows\System32\inetsrv. You may need to be in that folder for this command to work.

  1. Remove the http binding from your site

Solution 5:

The accepted answer here is confusing and I don't think it's correct for the question. It shouldn't be the accepted answer.

The problem

You have a wildcard SSL such as *.ipsum.com and the certificate is installed but you can't choose a host name for the site in IIS when you try to add an HTTPS binding because the text box is greyed out.

The solution

Your wildcard SSL can be used with any subdomain, you just need to make sure you start the Friendly Name of the certificate with *. I prefer to use the same friendly name as the wildcard domain, e.g. *.ipsum.com but you can call it anything that beings with the asterix: *foo

I gave my certificate the wrong Friendly Name, help!

Since Windows 8 or Server 2012, you can type certlm.msc in the start menu to manage certificates for the local machine. On previous versions of windows you will need to do something slightly more convoluted:

  1. Run mmc.exe from start
  2. Go to File menu and choose Add/Remove Snap-in... or hit (Ctrl-M)
  3. Highlight the Certificates snap-in and hit Add > then choose Computer Account followed by Local Computer in the subsequent dialogs then hit Finish followed by OK to close the Snap-ins window

In the main window, expand Certificates (Local Computer) then Personal then Certificates and you will be able to right-click the certificate, hit Properties where you can update the friendly name.

Close and open IIS Manager and you can then set your host name.