1

We need to install a wildcard certificate (*.mydomain.com) onto our IIS 8.5 to secure the domain and all its subdomains of a website following a process similar to this.

When binding the certificate to the web site, considering we have many first level subdomains:

Web site 1 bindings (all http):
- www.mydomain.co.uk
- subdomain1.mydomain.co.uk
- subdomain2.mydomain.co.uk
- subdomain3.mydomain.co.uk
- …..........
Web site 2 (http):
- subdomain33.mydomain.com

Q1. What do we need to add in the Host name field for Web site 1 to secure its domain and all its subdomains, see below:

enter image description here

Q2. Can we bind the same wildcard certificate to another IIS website: Web site 2, which is another subdomain of the same domain (mydomain), just a different web site? What should we add in the Host name field in this case?

Q3: Considering we already have an SSL (single) certificate installed on the same machine/IP bound to a different domain web site, can the two SSL certificates coexist without conflicts?

alex
  • 113
  • 4
  • 1
    Are you sure you are using Windows Server 2012 R2 and IIS 8.5? IIS 8 and above supports SNI, which is just the solution for you. For each HTTPS binding, fill in a subdomain as host name and point to a valid certificate. – Lex Li May 09 '18 at 12:04
  • 1
    You don’t need SNI if you’re physically using the same certificate on different host headers. The decryption still succeeds. You only need SNI if you need to use a different cert for each host header but need to use the same IP. – Greg W May 09 '18 at 12:24
  • @LexLi You mean create new bindings for each subdomain (~30 subdomains) of type https and assign the same wildcard certificate (*.mydomain.com) ? and yes we use Win Server 2012 R2 & IIS 8 – alex May 09 '18 at 13:48
  • 1
    Unless you are using IIS 10, which supports wildcard host name, it is recommended that you specify subdomains explicitly via SNI mappings, as it is both clean and clear and everyone can easily understand and maintain it. There are tricks such as using default web site as a catch all site, and configure an IP based certificate mapping. – Lex Li May 09 '18 at 14:04

1 Answers1

0

A1. Whatever hostname you want this binding to listen out for

A2. Create your websites exactly as you would normally do for HTTP with host headers. As long as you use the exact same certificate (and it “matches” the host header), it’ll work.

A3. Depends on if the sites are on different IPs. If you need to run different sites on the one IP address (different host headers) and use different certificates, you’ll need SNI. If you can use the same wildcard cert, you don’t need SNI.

Greg W
  • 701
  • 1
  • 5
  • 8
  • I should clarify. To avoid SNI, the same physical certificate must be used on all IIS “bindings” for that IP/Port combination. This certificate must contain *ALL* the host names that will be used in the bindings, it doesn’t have to be a wildcard. (e.g. one cert with both www.foo.com and www.bar.com in the SAN field will work when bound to two different bindings on the same IP without needing SNI) – Greg W Oct 11 '18 at 00:04