Do you have a web server, running IIS, with multiple sites all listening on port 80, and each of those sites need SSL certificates? Seeing as how I've broken a server thrice now, its time to write the definitive how-to guide on doing this to help you, and to remind me the next time I need to do this.
First and foremost, get the IIS Resource Kit. You will need one of the tools in there (selfssl.exe) and there are plenty of other tools that can make your IIS admining easier.
Open up your handy IIS admin tool and look at your list of websites in list view. You'll see each name along with an associated "identifier", their host header name, port, and SSL port. Remember your basic TCP/IP networking, you send your packets on a port because something is listening on a port. And, you can't have two services listening on the same port on the same machine. Actually, you can't have two services listening on the same port on the same IP address. And, with IIS, you can--- kinda of. On Windows Server 2003, you can have multiple websites. Each of these sites must be delineated by either a host header value or an IP address; all of them can not listen on port 80. Sorry, it just doesn't work that way. Enter SSL; the HTTPS protocol does all of its business on port 443 and only port 443 (without browser modifications, not an option in the Internet world). So there is the quagmire. The answer is relatively simple (that is, once you've downed all your websites repeatedly...) :
- Ensure each sites has either a unique IP address or a host header.
- Create and install a wildcard SSL certificate. Work with your SSL vendor to obtain one of these. For internal servers (or ones that need not be fully trusted), you can use the selfssl tool from the IIS Resource Kit to create a self signed certificate.selfssl.exe /n:cn=* /k:1024 /v:1480 /p:443 /s:1This will create a 1024 bit certificate for site identifier 1 on port 443 which lasts 4 years.
- ** Note, this next step will stop your site **Copy the certificate from site identifier 1. Easiest way to do so if through IIS Admin | Directory Security | Server Certificate, then use the wizard to Assign a certificate already installed on your machine. Ensure you select the WILDCARD certificate. After clicking Apply or Ok your website will be stopped.
- Alter the IIS metabase to allow the sharing of the certificate.cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set /w3svc/[identifier]/SecureBindings ":443:[host header name]"Where [identifier] is the unique website identifier IIS assigns all websites, and [host header name] is the host header name for the site previously configured. For example":cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set /w3svc/123456789/SecureBindings ":443:my-host-header-name"
- Start your website in the IIS Admin tool.
You can repeat steps 3-6 for each site on your server.
References:
IIS 6.0 Resource Kit
To setup SSL on multiple Sharepoint 2007 web applications using host headers under IIS 6.0
Configuring SSL Host Headers (IIS 6.0)