17 November 2007

Wildcard SSL certificate in IIS 6.0, Windows 2003 Sp1 and above

Here I will be talking about configuring SSL wildcard certificates in IIS 6.0 on Win2k3 SP1 and above.

You may have a scenario wherein you want to have the same certificate installed for multiple Websites. Now in a normal scenarios this is not possible.

What I mean is you cannot have the same certificate installed on multiple Websites. To achieve a similar functionality you need to get a wildcard certificate from a Certificate Authority.

A wildcard certificate can be applied when you have the same end-domain name for all your Websites wherein you want to install the certificate.

Let's say you have Websites like www.test.com, mail.test.com and hrweb.test.com. Here the same end-domain name is present which is test.com.

Also remember that you can install the certificate for all such Websites when all of them are running under the same IP/Port combination. Here host headers will be the identifying criteria for Websites.

So let's say you have the following configuration:

WebSite                   Host Header Value                  IP Address                Port             SSL Port
==================================================================
Test1                          www.test.com                      10.0.1.1                     80                  443
Test2                          mail.test.com                        10.0.1.1                     80                  443

Test3                          hrweb.test.com                    10.0.1.1                     80                  443

and you want to use the same certificate for all the above Websites, Wildcard certificate is a viable option.

Here are the steps to obtain a wildcard certificate through IIS manager:

-In IIS Manager, expand the local computer, and then expand the Web Sites folder.

-Right-click the Web site for which you want to obtain a wildcard server certificate, and then click on Properties.

-On the Directory Security tab, under Secure communications Button, click Server Certificate.

-In the Web Server Certificate Wizard, click Create a new certificate.

-Follow the Web Server Certificate Wizard, which will guide you through the process of requesting a new server certificate. You can have any name in the Wizard which shows Name and Security Settings. On the 'Your Site's Common Name' page, type a name in the Common name box, using the following format:
*.<sitename> for example, *.test.com (as in our scenario).

By default, the certificate request file is saved as C:\Certreq.txt, but the wizard allows you to specify a different location of your choice.

-Click Finish to complete the wizard.

After you receive the wildcard server certificate from the Certification Authority, assign the same certificate on all Web sites that have the same IP/port binding and are distinguished only by the host header name.

Here is a Screenshot of the wildcard certificate that we got for our *.test.com sites.

image

Now at this point if you try to access any of the Websites you will see that all of the HTTPS responses come from one specific site.

What I mean is that if you access https://www.test.com, https://mail.test.com or https://hrweb/test.com you will get the response from one site only.

You won't get the corresponding web pages from different Websites depending upon the site in URL. You will  also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding (without of course some extra settings). If you try to start the other Websites you may see something like this below:

image

Now, the next most important thing is to follow the script below:

Go to Start Menu, click Run, type "cmd", and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"                       <--- [It's not case sensitive]

where host header is the host header for the Web site, for example, www.test.com or mail.test.com.

e.g.

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:www.test.com"

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings ":443:mail.test.com"

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings ":443:hrweb.test.com"

Now once we have these settings in place for the Websites you should be able to browse to the Websites. You will also be able to start all the Websites without any issues.

Ensure that you do not modify any of the SSL related settings in the IIS manager like host header etc. after doing the changes in the metabase.

Finally have SSLDiag handy in case you get into issues for any general SSL related troubleshooting :-)

Filed under: , ,
 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# MSDN Blog Postings » Wildcard SSL certificate in IIS 6.0, Windows 2003 Sp1 and above said:

PingBack from http://msdnrss.thecoderblogs.com/2007/11/17/wildcard-ssl-certificate-in-iis-60-windows-2003-sp1-and-above/

16 November 07 at 11:16 PM
# Noticias externas said:

Here I will be talking about configuring SSL wildcard certificates in IIS 6.0 on Win2k3 SP1 and above

17 November 07 at 4:49 AM
# /dev/null said:

Thanks for sharing this info and making it clear enough for me.  Very helpful, thanks.

08 January 08 at 3:18 PM
# Aloy said:

I am not able to get the wildcard cert. my company is using its own portal to obtain certificate from verisign.

Here is the error i am getting:

Your request contains a dnsName that is incorrectly formatted.

The offending name is: *.subdomain.domain.com

Support Information: 35DB

20 February 08 at 12:52 AM
# Saurabh Singh said:

Hi Aloy,

I don't see a reason as to why it should fail. Have you checked with the vendor which issues the wildcard cert, in this case it seems Verisign. Also before that, have you checked going through IIS certifticate wizard to request for a new certificate and see if that fails too. Let me know. Also where exactly do you see the error.

20 February 08 at 9:15 AM
# John_R said:

Thanks. Your explanations are crystal clear until the csript explanation. My problem is that I don't see any correlation between <site identifier> and the web sites present in IIS Manager. I have run this command to enumerate the web sites:

cscript.exe adsutil.vbs enum_all /P

The above command's output lists my web sites as numbers (e.g. [33430808]) instead of the human-readable names used for them in IIS Manager. How can I get my web sites to list out as something other than numbers via the command line?

25 March 08 at 4:59 PM
# Saurabh Singh said:

Hi John, thanks for your response.

Not sure if I got your question correctly.

If you want to see the listing of a website with its corresponding identifier, go to IIS manager console, select Web Sites (at the global level), and then on the right pane you will see the columns: Description (which shows the friendly name) and Identifier column (which shows the identifier corresponding to the website on IIS 6.0).

Or else, Right click on a website -> Properties -> Web site.

Under enable Logging section, click on Properties -> at the bottom you will see Log file name, which will have the identifier for the website in the format W3SVC<ID>\exyymmddhh.log.

Not sure if this what you had in mind. Let me know if you are looking for some scripts etc to get the friendly name and its corresponding identifier. You can check this link to run a VB Script from cmd prompt http://blogs.msdn.com/david.wang/archive/2005/07/13/HOWTO_Enumerate_IIS_Website_Configuration.aspx

Hope this helps.

Thanks!

25 March 08 at 6:40 PM
# John_R said:

Thanks for your response, which fully answers my question.

Best of luck with your Blog.

26 March 08 at 10:14 AM
# atucker said:

I was wondering, if you wanted to do this is a wildcard certificate required or can you get an SSL certificate for each subdomain you make?

11 April 08 at 3:29 PM
# Saurabh Singh said:

Hi atucker,

Yes, you can definitely get different SSL certificates for each sub-domains. It's up to an individual as to which route s/he wants to take.

Having one wild card cert across all sub-domains will help in the administration purpose, consistency and convenience may be. I hope i understood your question correctly.

11 April 08 at 4:07 PM
# KSI said:

This will only work with a wildcard cert as only one cert is actually served.  So if you are all right with having your users click on the continue button once they are provided with the IE warning then fine it works great.  Still not the best solution for hosting multiple domains.

15 April 08 at 6:09 PM
# sg said:

Saurabh - great article. I read your blog after reading the MS Technet article (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true) which was not clear about the site identifier to use.

However, as one of the earlier comments - two issues that remain to be solved:

a) users will get IE warning which in IE7 has become more "frightening" for non-tech savvy users - I guess the solution is to specify separate certificates for each domain you want to host.

b) do the commercial third-party certificate authorities issue a wildcard certificate?

08 May 08 at 12:25 PM
# Saurabh Singh said:

Hi sg, thanks.

Regarding your concerns,

a). I wonder why users will get an IE warning. Users should not get a security alert in IE at all if you have used the Common Name while requesting the certificate through the IIS wizard to use *.abcd.com etc.

If your wild card cert shows *.abcd.com in the "Issued to" section, then when you access a site like test.abcd.com, mail.abcd.com etc you should not get an alert at all. Let me know if we are on the same page and I will try to clarify it more clearly.

b). Yes, 3rd parties like VeriSign etc do issue wildcard cartificates.

08 May 08 at 12:44 PM
# sg said:

Hey Sourabh - I meant IE security alert which in IE7 is worded a little too strongly and frightens non-tech users.

One question on the identifier for the websites, I noticed in IIS6 that while system created site such as Default Web Site has identifier 1 and Sharepoint has 2 - the user created ones have a really long number. I wonder how is this number generated and is there a way to manage it.

I also noticed that Symantec Mail Security picked up the next available single digit number whereas the user created sites have anywhere from 6 to 12 digits.

08 May 08 at 11:47 PM
# Saurabh Singh said:

Sg, you are right, IE 7 shows a more esoteric alert :-), that's true. But again, if we have the SSL cert correctly set, IE won't get a chance to prompt with an alert to the end users.

Anyways, coming back to your other question, yes, the user-created web sites have long random site identifiers. It's actually based on random sequence and doesn't have any ill-effects as such. Certain softwares like SharePoint and Symantec do check for next available ID that can be used etc.

You can set the site identifier of your own choice by following the command below:

C:\Inetpub\Adminscripts> Cscript adsutil.vbs move w3svc/<existing_Identifier>   w3svc/<new_identifier>

e.g.

>cscript adsutil.vbs move w3svc/12345678  w3svc/10

Your website may get stopped after this, so ensure you start the website again after executing this command.

Hope this helps.

09 May 08 at 12:03 PM
# Joe said:

Hi

I set up WSUS without https.  Another admin set up our numara help desk on the same server without giving another default site folder in the iis. (I have to click on "default web site" folder / properties / directory security to get to the sever communication opetion)

When I create the certificate how would it impact the wsus?

Any idea if these are statis files? Any idea if I can create another site and move the driectory path to new location?

The numara product was migrated to this wsus server - the old server has it own wild card certification - can I copy/install it to this server?

Thanks

Joe

15 May 08 at 7:34 AM
# Saurabh Singh said:

Hi Joe,

I am not sure I got what you really asked for. Sorry.

Let me try answering what i understood.

If you have WSUS without SSL as a web site on the server and if you are trying to install certificate for another web site on the same server it would NOT impact the first site. Your WSUS is listening on port 80 (by default unless you changed the port) and SSL enabled site over https listens on port 443 (by default unless modified).

Yes, you can copy and install the wild card cert from the old server to this server for numara product site.

Let me know if I missed any of your requirements.

Hope this helps!

15 May 08 at 12:01 PM
# Joe said:

Hi

Both the WSUS site and numara helpdesk site runs on 80 at the moment.

We want to make it ssl.

1)Is it alrite to running both sites on "default web site" space

2)You are saying I can use my current wild card ssl certification on this space

I dont see anything wrong with since the numara site os pointing to an alternate path. Numara has an application pool. I cannot just create 1 site with ssl for my current set up.

Since the root file only shows the ability to addthe server certification - everything under that the server certification option is greyed out.

Thanks for your help. I've copied the old certs.

Any thoughts?

Joe

15 May 08 at 1:30 PM
# Saurabh Singh said:

Hi Joe,

Guess we can talk to understand better about the problem in hand.

Please email me your number (if you are in US) at xxxxxxxxxxxxxx.

15 May 08 at 1:42 PM
# Joe said:

Hi -

My issue is resolved. Thanks for putting this up for IIS

Thanks

Joe

19 May 08 at 8:50 AM
# Saurabh Singh said:

People often enquire questions/concerns related to SSL wildcard cert etc. Questions that come directly to me via email and is not posted in this blog/comments section, I will try to add them here in case it is of value to people having similar questions/concerns around the subject. Here is the first one:

====================================

Hi Saurabh,

I have just found your article (Wildcard SSL certificate in IIS 6.0, Windows 2003 Sp1 and above) and I was wondering that maybe you could help me to find some answers.

We just purchased an wildcard certificate and I'm having some issues on setting it up on our IIS server.

Currently I have the same structure as the one from your blog:

The problem is that this is a production server and I don't want to screw things up. That's why I have these questions:

1. Do I have to get rid of the existing Host Header Value before I do the binding?

ans: > No, you don’t have to remove the host header entries.

2. Can the Test2 (for example) be accessed by http after I do the binding for the main one (www.test.com)

(the reason why I'm asking this would be because I don't want to do the binding for all existing subdomains yet)

ans: > Yes you can access any other site including www.test.com over HTTP without issues. The problem arises when you try to access a site over SSL after installing the cert and not having the right bindings.

3. When I do the binding for www.test.com does it kick off the customers that are on the other websites (subdomains)?

ans: > No, it won’t kick off customers who are on the other sites/subdomains. Users get kicked off if by any chance you recycle the IIS worker process, which won’t occur here.

Thanks,

Adrian Mic

30 May 08 at 6:01 PM

Leave a Comment

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

(required) 
(optional)
(required) 

About Saurabh Singh

Myself, a Support Engineer with Microsoft GTSC, India. I have been supporting IIS and ASP.Net. I am a Computer Engineer (B.E.), did my graduation from one of the premier Engineering institutes in India. I have been working in the IT field for over 5 years now.
Page view tracker