7

I have a problem similar to (but not the same) as this:
Azure web role - Multiple ssl certs pointing to a single endpoint

My azure package contains multiple sites. Some of these sites are on domain abc and others are on domain def. I need to secure both domains with SSL but can't figure out how (if it's possible) to do this.

Here's an example of my config:

<Sites>
    <Site name="sub1.abc" physicalDirectory="***">
        <Bindings>
            <Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.abc.com" />
            <Binding name="HttpsInABC" endpointName="HttpsInABC" hostHeader="sub1.abc.com" />
        </Bindings>
    </Site>
    <Site name="sub1.def" physicalDirectory="***">
        <Bindings>
            <Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.def.com" />
            <Binding name="HttpsInDEF" endpointName="HttpsInDEF" hostHeader="sub1.def.com" />
        </Bindings>
    </Site>
</Sites>
<Endpoints>
    <InputEndpoint name="HttpIn" protocol="http" port="80" />
    <InputEndpoint name="HttpsInABC" protocol="https" port="443" certificate="abc" />
    <InputEndpoint name="HttpsInDEF" protocol="https" port="443" certificate="def" />
</Endpoints>
<Certificates>
    <Certificate name="abc" storeLocation="LocalMachine" storeName="My" />
    <Certificate name="def" storeLocation="LocalMachine" storeName="My" />
</Certificates>

This configuration gives me the following error:

The same local port '443' is assigned to endpoints HttpsInABC and HttpsInDEF in role ***.

Any suggestions on how I can work around this without having to host them separately?



Based on @JoelDSouza's answer:

Will using different ports work for you

What are the implications of SSL on ports 444/445/446 etc. in Windows Azure?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Paul Fleming
  • 24,238
  • 8
  • 76
  • 113
  • 1
    +1. Good question flemster – Mathew Thompson Mar 14 '13 at 21:41
  • Possible duplicate - http://stackoverflow.com/questions/10442858/is-it-possible-to-get-one-ssl-certificate-mysubdomain-example-com-and-mysubdom – ChrisF Apr 04 '13 at 11:24
  • @ChrisF. My question is regarding SSL for multiple *different* domain names rather than sub domains. – Paul Fleming Apr 04 '13 at 11:39
  • @flem - A duplicate answer was posted which indicates the questions *may* be duplicate. I left a comment to get feedback on whether it was a duplicate or not. – ChrisF Apr 04 '13 at 11:41

4 Answers4

3

You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.

IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.

I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

Vitor Ciaramella
  • 440
  • 3
  • 4
  • 2
    What is the browser support for SNI? – Paul Fleming Apr 04 '13 at 11:40
  • In practice, any browser with the exception of Internet Explorer on Windows XP. [Check on Wikipedia for a comprehensive list](http://en.wikipedia.org/wiki/Server_Name_Indication) – Vitor Ciaramella Apr 08 '13 at 02:37
  • 1
    With IE on XP still accounting for a large chunk of web traffic this presents a critical problem with this solution for most websites. – Co7e Sep 12 '13 at 10:52
  • Info can be found here: http://web.archive.org/web/20160120030829/http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/ – Tim Friesen Feb 27 '17 at 12:57
2

I fear you are out of luck - as noted in the article you linked to, one SSL certificate per server IP. I guess by hosting them separately (that feels odd to say considering it's cloud based) you will get two IPs and therefore can add an SSL certificate to each IP address.

You could perhaps move everything to one domain and use folders within that domain to host the separate sites - that's the only way you will be able to secure everything with your SSL certificate without having two hosting packages: ie instead of:

www.domain1.com and www.domain2.com use www.mydomain.com/domain1/ and www.mydomain.com/domain2/

Chris K
  • 435
  • 2
  • 10
  • Unfortunately the directories vs domains suggestion doesn't meet my requirements. The domains belong to different clients. I'm no expert but I'm having a hard time believing that I can't host two sites on one server with different domain names, both being behind SSL... – Paul Fleming Mar 14 '13 at 21:00
  • I did imagine that the folders idea wouldn't be possible but you did ask if there was any way around the limitation :) Can you buy an additional IP for your package? I'm afraid you need one IP address per SSL certificate. – Chris K Mar 14 '13 at 21:02
0

Will using different ports work for you? You can use SSL cert 1 with myapp.cloudapp.net:443 and SSL cert 2 with myapp.cloudapp.net:8443

maddog
  • 184
  • 2
  • 13
  • My understanding is that SSL requires port 443. Is this untrue? – Paul Fleming Mar 15 '13 at 17:36
  • It can be run on any port, but 443 is the default. If a non-standard port is used, then it must be specified in the URL for browsers and most other applications. E.g. https://myapp.cloudapp.net:8443/ whereas https://myapp.cloudapp.net/ will be routed to port 443 by most applications. – ulty4life Apr 13 '15 at 21:23
0

If you don't need wildcard certificates you can use a multi-domain certificate. This way you only need one certificate. The downside is that each sub-domain needs to be specified, which can get expensive if you have a lot.

Co7e
  • 1,008
  • 10
  • 17