IIS 7.5 - can't configure two SSL Certificates under one IP-adress?

Question

We're setting up HTTPS for all our websites. Unfortunately I'm not really experienced in IIS.

I have two certificates, one is a EV-UCC-Certificate with 10 subdomains included. the subdomains are from two different domains like this:

shop.abcdomain.com
www.xzydomain.com

I also have a wildcard certificate for one of those domains *.abcdomain.com

both domains run on the same IIS Server under the same IP Adress.

When I assign the wildcard certificate to some of my sites, everything works fine but when I then want to assign the EV-UCC certificate to another site which is in the same "sites" collection in IIS, I get the following error

At least one other site is using the same HTTPS binding and the binding is configured with a different certificate

I'm a little confused by this. Why can't I assign two different certificates on the same IIS? Can only be one SSL-Certificate on an IIS? If so, is there a workaround to make IIS think he can carry two SSL certificates?

I'm running IIS 7.5 on Windows Server 2008 R2

Answer 1

Originally, only one SSL certificate can be assigned to the same IP/Port combination. This is because host header is encrypted and HTTP layer cannot guess which host is requested and which certificate should be presented to client.

If so, is there a workaround to make IIS think he can carry two SSL certificates?

No, there are no workarounds in Windows Server 2008 R2. However, starting with Windows Server 2012 (IIS8) there is a way to bind multiple certificates to the same IP/Port combination by using Server Name Indication (SNI) TLS extension. Unlike in original SSL/TLS, SNI uses unencrypted host header. IIS versions prior to IIS8 don't support unencrypted headers. More reading: https://docs.microsoft.com/en-us/archive/blogs/kaushal/server-name-indication-sni-with-iis-8-windows-server-2012

Alternatively, you can bind your services to different TCP ports and assign certificates to each port.