3

We'd like to use an ECDSA SSL cert; however, we need to support a fairly wide variety of devices including some that are unlikely to ever support ECDSA certificates. The standard solution is to fallback to an RSA cert based on what the client supports, presumably as envisaged in this answer. On Linux with Apache 2.4 it's possible, and similarly for Nginx where wikipedia's turned it on. How can I enable this, ECDSA+RSA, in Windows for IIS and OWIN?

The answer I expect is "Use Windows Server 2016 and then do X," but I'd like to be pleasantly surprised.

Community
  • 1
cacsar
  • 131
  • 3

2 Answers2

1

As Peter said, this isn't possible on any version of IIS currently. However you could setup nginx as an SSL proxy in front of IIS and that would do what you need.

Steve365
  • 1,263
  • 9
  • 16
  • Nginx as an SSL terminating proxy on a linux box in front I assume? I *believe* (without a firm basis) that Nginx on Windows still use SChannel (where support for dual certs would unblock IIS/OWIN even if it needed to be manually configured in the registry). We're currently using Azure's LB, and an Nginx loadbalancer/SSL termination could be something we'd do for other reasons. – cacsar Aug 20 '15 at 22:08
  • @cacsar I'm not sure about nginx on Windows to be honest, I've only ever run it on linux boxes. That's the way I'd go, with a separate *nix box in front. Nginx HTTP/2 support should be out sometime in the not too distant future too, so you'll get advantages there that IIS can't offer currently (although will be able to with the next release and IIS 10). – Steve365 Aug 21 '15 at 07:08
0

It is my understanding that neither 2012 R2 nor Server 2016 support dual certificates.

You can only assign a single certificate to a binding.

Set up a second binding and point your legacy devices to it.

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58
  • 1
    While I could believe that's the only option on Windows, it's not exactly a viable one. Time to go poke contacts. – cacsar Jul 25 '15 at 03:25