3

We have a Windows Server 2003 machine running IIS6.0 that hosts two different websites. We purchased an SSL certificate for both domains, but then discovered we couldn't use both at once because SSL uses port 443, and I can't set both domains to use that port number.

So my question is, is it possible to host https://www.domain1.com and https://www.domain2.com on the same IIS 6.0 server? If so, how can I do this?

Rachel
  • 130,264
  • 66
  • 304
  • 490
  • 1
    Have you tried setting each web to use port 443 on two different IP addresses? – Bahri Gungor Feb 29 '12 at 15:09
  • @BahriGungor No I have not. I assumed that would make the site stop working since the IP address listed there is the IP address for the machine. – Rachel Feb 29 '12 at 15:14
  • You can have as many IP addresses you want for a computer. Once you set another IP for your server, set each site to use each IP on port 443 and 80. Don't use virtual directories or host headers. Then configure your SSL for each (which is where my knowledge falls short). – Bahri Gungor Feb 29 '12 at 15:21
  • @BahriGungor Would I need to change the MX records or any incoming connections so it uses the new IP address as well? And why couldn't I use host headers? Currently both sites are accessed by multiple domain names, so they both use host headers. – Rachel Feb 29 '12 at 15:31
  • @Rachel MX records are for mail you will need to change the A(IPv4) record and the AAAA (IPv6), As discussed in my answer the host header is encrypted, so not readable without ONE certificate. Also the SSL handshake happens before the host-header is sent so it is strictly one SSL certificate per IP/Port combination. – David Waters Feb 29 '12 at 15:37
  • @DavidWaters Ooops, youre correct I meant `A` record, not `MX` record. Thank you. – Rachel Feb 29 '12 at 15:43
  • @Rachel As for the host headers, I thought the certificate was tied to a domain name, not the IP, so I'm going to have to defer to David on this one. I suggest you test your browser to each domain name. – Bahri Gungor Feb 29 '12 at 15:46
  • @BahriGungor You are correct certificates are tied to domains. The issue here is that when a request comes in (SLL over TCP/IP) the SSL handshake happens before any HTTP so no host name is know at handshake time just IP&Port so to tell which cirt needs to do the hand shake IIS requires only one cert per IP address. – David Waters Feb 29 '12 at 17:33
  • @DavidWaters So is there a way so that multiple domain names can be tied to the same cert, so that she doesn't get a browser warning when the client connects? – Bahri Gungor Feb 29 '12 at 17:46
  • @BahriGungor I'm actually trying to tie two separate domains to two separate certificates on the same IIS 6.0 instance and IP address. The problem is, SSL comes in over port 443 by default, and only one of those domains can be using port 443 at a time. What David said makes sense, about it not knowing what certificate to use to decrypt the SSL message. – Rachel Feb 29 '12 at 17:59
  • @Rachel I see, I thought you meant each site had multiple domain names. – Bahri Gungor Feb 29 '12 at 18:35
  • @BahriGungor Both sites do have multiple domain names, but we are using host headers for that. The SSL certificate is only for one domain name on each site. – Rachel Feb 29 '12 at 18:44
  • @Rachel I was asking David if an SSL certificate could be created for multiple domain names, because if the SSL isn't configured for a particular domain name, any requests coming in for that domain will be caught by the browser as not matching the name and will warn the user. – Bahri Gungor Feb 29 '12 at 18:49
  • @BahriGungor the only way I know of including multiple domain-names on certificates is through wild-card certs for sub-domain (no use for the OP). I could be wrong but I strongly suspect this is not possible. The best practice for this is for servers to have multiple IP addresses. – David Waters Mar 01 '12 at 12:48
  • So to sum things up, in order to have two sites, each with multiple domain names set up on SSL, each domain needs its own certificate tied to the domain name on an independent IP (one per domain name), configured in IIS to point to the appropriate site folder. Is that right David? – Bahri Gungor Mar 01 '12 at 14:31

1 Answers1

4

As @Bahri Gungor said the way to do this is for the server to have multiple IP addresses, have the different domains attach to different IPs and then you should be able to have each have a seperate SSL certificate.

Windows Servers can be assigned lots of IP addresses, then depending on your network setup you could change the DNS records for your different domains to point to the different IP addresses. Remember DNS changes take a while to role through the network (depending on their time-to-live). So you need to have the domain you move hosted on multiple IP addresses until all clients have the new DNS records. See the following

Why?

How I assume you have things configured is serving both domains off the same port and the same IP address, and have IIS choose the different WebSite based on the host-header. The host-header as the name implies is part of the http headers sent to the server with the request, when using HTTPS this information is encrypted using the SSL certificate. So if your could have multiple certificates servered off the same port and IP address IIS would not know which certificate to decrepit the incoming request.

Wild Card Certificates

One way round this is if you have multiple sub-domains they can share one SSL certificate then you can use host-headers to choose which site the user is interested in so if you had

a.example.com
b.example.com
c.example.com

You could get a certificate for 

*.example.com

Then the websites for the subdomain could share one SSL certificate and the same IP address and port.

David Waters
  • 11,979
  • 7
  • 41
  • 76
  • I appreciate your edit with wildcard certificates, however in this case both domains are completely different and do not share the same suffix. – Rachel Feb 29 '12 at 15:32
  • 1
    Yes I saw that from your question, that section was for the next person with a similar issue finding this answer. – David Waters Feb 29 '12 at 15:33