|
Home > Archive > IIS Server > June 2005 > SSL Host Headers in SP1
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL Host Headers in SP1
|
|
|
| I know until recently to do SSL for multiple domains on one server, host
headers were not enough and that separate IP addresses were required for each
SSL certificate. However, according to KB 187504, Windows Server 2003 SP1
now supports SSL for host header-based sites. Unfortunately, after following
the steps listed, I was unable to make this work. Has anyone else got this
working yet? Does it only support multiple SSL for sites abc.anydomain.com,
def.anydomain.com, and ghi.anydomain.com, or does it support different actual
domains such as www.domain1.com, www.domain2.com, and www.domain3.com
(provided that you have the SSL certificates for each domain)?
Any help would be greatly appreciated. For the time being I have gone to
multiple IP addresses just to get it working, however, I would like to make
it work using only one IP address.
| |
| Wade A. Hilmo [MS] 2005-06-23, 6:00 pm |
| Hi Scott,
It supports the "abc.anydomain.com, def.anydomain.com, and
ghi.anydomain.com" scenario. I don't believe that there is a technical
reason why it would not support the "www.domain1.com, www.domain2.com, and
www.domain3.com" scenario, but there is a practical reason why you cannot do
this.
Specifically, IIS has to decrypt the SSL stream to get to the host header
before it knows the site. This can work in the first scenario above because
you can get someone to issue you a certificate for "*.anydomain.com", and
you can associate that certificate with abc, def, and ghi on anydomain.com.
IIS can then use that same certificate to decrypt the host headers for each
of the sites and it will work. You will not be able to buy a certificate
for "*.com", which is what would be required for the second scenario because
the existence of such a certificate for any of the publicly trusted
certificate authorities would make it so that clients could never securely
determine that they are connected to the correct server with SSL.
Also, you cannot use different certificates for different sites on the same
IP/port binding because then you are back to the original problem that you
could not determine the correct certificate to use to decrypt the host
header.
I hope that this helps to explain the feature and limitations.
Thank you,
-Wade A. Hilmo,
-Microsoft
"Scott" <Scott@discussions.microsoft.com> wrote in message
news:277CB477-2C90-41D0-BD80-9DE6243BB59E@microsoft.com...
> I know until recently to do SSL for multiple domains on one server, host
> headers were not enough and that separate IP addresses were required for
each
> SSL certificate. However, according to KB 187504, Windows Server 2003 SP1
> now supports SSL for host header-based sites. Unfortunately, after
following
> the steps listed, I was unable to make this work. Has anyone else got
this
> working yet? Does it only support multiple SSL for sites
abc.anydomain.com,
> def.anydomain.com, and ghi.anydomain.com, or does it support different
actual
> domains such as www.domain1.com, www.domain2.com, and www.domain3.com
> (provided that you have the SSL certificates for each domain)?
>
> Any help would be greatly appreciated. For the time being I have gone to
> multiple IP addresses just to get it working, however, I would like to
make
> it work using only one IP address.
| |
| Bernard Cheah [MVP] 2005-06-26, 2:48 am |
| Yes, it works only with wildcard cert of the same domain.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
news:Oe2kTmDeFHA.4040@TK2MSFTNGP14.phx.gbl...
> Hi Scott,
>
> It supports the "abc.anydomain.com, def.anydomain.com, and
> ghi.anydomain.com" scenario. I don't believe that there is a technical
> reason why it would not support the "www.domain1.com, www.domain2.com, and
> www.domain3.com" scenario, but there is a practical reason why you cannot
> do
> this.
>
> Specifically, IIS has to decrypt the SSL stream to get to the host header
> before it knows the site. This can work in the first scenario above
> because
> you can get someone to issue you a certificate for "*.anydomain.com", and
> you can associate that certificate with abc, def, and ghi on
> anydomain.com.
> IIS can then use that same certificate to decrypt the host headers for
> each
> of the sites and it will work. You will not be able to buy a certificate
> for "*.com", which is what would be required for the second scenario
> because
> the existence of such a certificate for any of the publicly trusted
> certificate authorities would make it so that clients could never securely
> determine that they are connected to the correct server with SSL.
>
> Also, you cannot use different certificates for different sites on the
> same
> IP/port binding because then you are back to the original problem that you
> could not determine the correct certificate to use to decrypt the host
> header.
>
> I hope that this helps to explain the feature and limitations.
>
> Thank you,
> -Wade A. Hilmo,
> -Microsoft
>
> "Scott" <Scott@discussions.microsoft.com> wrote in message
> news:277CB477-2C90-41D0-BD80-9DE6243BB59E@microsoft.com...
> each
> following
> this
> abc.anydomain.com,
> actual
> make
>
>
|
|
|
|
|