Using IIS 10 and a Centralized Certificate Store, is it possible to have a wildcard https binding, so that any request coming in over HTTPS will automatically attempt to grab the relevant certificate from the centralized store?
Asked
Active
Viewed 2,541 times
0
-
What is your goal? One certificate for all site bindings? Even if you generates a single certificate that contains the necessary subject alternative names, Centralized Certificate Store uses the file name convention to resolve the certificate file (.pfx), https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/ and it requires you to duplicate the file multiple times for each of the host names. – Lex Li Apr 16 '18 at 20:05
-
Yea - I wanted to be able to control binding by the presence of the certificates if possible - – William Apr 16 '18 at 22:14
-
The article I linked shows the technical details behind the feature, so you have to follow the tips. No more is offered. – Lex Li Apr 16 '18 at 22:40
-
Any luck finding an answer to this? I'm also looking for something like this that will allow dynamically adding sites without bindings. – Chris Hynes Oct 06 '18 at 03:53
-
Looks like there's no way in IIS, but it's possible to do through something else like HAProxy: https://serverfault.com/a/706118/1939 – Chris Hynes Oct 06 '18 at 04:17
1 Answers
0
It depends on your definition of "wildcard".
IIS searches the CCS (Centralized Certificate Store) not based on the SNI name, but based on the binding name. Therefore it is not possible to have a catch-all binding with the CCS.
However, the CCS does support wildcard PFX files when a file starts with _.. Therefore, if you have a site with the binding blog.example.com, it will use the _.example.com.pfx file if present.
With IIS 10, we now also have wildcard binding support. Therefore, you can make a binding *.example.com and this will indeed work with the _.example.com.pfx file as well.
Lucero
- 103
- 5