bobbailey22
asked on
IIS 8 SSL Certificates not assigning to proper site in Certificate Store
We have 6 web servers all running 2012 R2 and IIS 8. They all run the same website with a wildcard certificate *.ourdomain.com that works great. Most of our clients use name.ourdomain.com for their websites on our platform so our cert covers 99% of them.
We have some clients who like to use their own custom domain on our system and that is where we have run into some issues. I set up a "certificate store" for client certs and we have added the client's certificates there. Our wildcard cert is bound individually to each of the 6 web servers in the traditional way, because the certificate store requires a hostname, which defeats the purpose of a wildcard. Also SNI does not help us with the wildcard cert either, I have read that it is better not to use it in our situation with wildcards but I may be wrong. Enabling it does not fix this issue.
When assigning/binding the certificate store cert to the client's website using name.clientdomain.com, it seems to take over all the ssl traffic regardless of the hostname requested and our main site breaks. Is there a better way to set this up? Do I need to assign separate IP addresses like we did back in IIS7? I want to avoid that since it eats up 6 IP's for each client and they would fill up fast.
Or should I assign one block of IP's for the wilcard and one block for the shared certificate store certs?
Thanks for your help I hope that all makes sense.
We have some clients who like to use their own custom domain on our system and that is where we have run into some issues. I set up a "certificate store" for client certs and we have added the client's certificates there. Our wildcard cert is bound individually to each of the 6 web servers in the traditional way, because the certificate store requires a hostname, which defeats the purpose of a wildcard. Also SNI does not help us with the wildcard cert either, I have read that it is better not to use it in our situation with wildcards but I may be wrong. Enabling it does not fix this issue.
When assigning/binding the certificate store cert to the client's website using name.clientdomain.com, it seems to take over all the ssl traffic regardless of the hostname requested and our main site breaks. Is there a better way to set this up? Do I need to assign separate IP addresses like we did back in IIS7? I want to avoid that since it eats up 6 IP's for each client and they would fill up fast.
Or should I assign one block of IP's for the wilcard and one block for the shared certificate store certs?
Thanks for your help I hope that all makes sense.
Only one certificate can be bound to an IPAddress/Port. So,... you need to either assign additional IPs for each site using a different certificate, or start moving those sites to 'other' ports, which is rarely agreeable.
To Rich's point, you must have multiple public IPs available to impement it.
Ip1:443 => lanip1:443
Ip2:443 => lanip2:443 or lanip1:1234
Ip3:443 => lanip3:443 or lanip1:2345
Ip1:443 => lanip1:443
Ip2:443 => lanip2:443 or lanip1:1234
Ip3:443 => lanip3:443 or lanip1:2345
ASKER
Thanks guys, that is what I thought. I should be able to share an IP for the certificate store though, correct?
The certificate store is computer/user/service not IP based.
You can assign a certificate from a store with the correct function to ....... a service that is bound to an IP:port.
You can assign a certificate from a store with the correct function to ....... a service that is bound to an IP:port.
ASKER
So if I am understanding properly, as long as our clients don't have a wildcard certificate, we can use the cert store on a different set of IP addresses on our 6 servers with as many certs as required?
Wildcard bindings: x.x.x.1-6 *.ourdomain.com
Cert store bindings: x.x.x.7-12 unlimited certs on name.client.com
Future wildcard certificates: x.x.x.13-18 and so on.. *.newclient.com
Correct?
Wildcard bindings: x.x.x.1-6 *.ourdomain.com
Cert store bindings: x.x.x.7-12 unlimited certs on name.client.com
Future wildcard certificates: x.x.x.13-18 and so on.. *.newclient.com
Correct?
I'm not certain where the requirements for six IP addresses per certificate comes from... but assuming that part is correct, your scheme appears correct. (That is, you're not attempting to bind two different certificates on the same IP.)
(Edit: Wait! I see where the requirement for six IPs come from... you have six servers. Sorry about that. Yes! That definitely looks right then.)
(Edit: Wait! I see where the requirement for six IPs come from... you have six servers. Sorry about that. Yes! That definitely looks right then.)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I am going to assign six new IP addresses for the shared store to use. I will update once that is done.
Do you know if unified certs work with the cert store for their 5 hostnames?
Do you know if unified certs work with the cert store for their 5 hostnames?
ASKER
So after digging into this further I have found that there are some changes in IIS 8 in regard to multiple sites sharing an IP address. I do not need to add new IP addresses to my servers. I was just setting it up wrong. I have posted a new, unrelated question here in case any of you can offer insight:
https://www.experts-exchange.com/questions/28623843/APPCMD-to-enable-central-certificate-store-and-SNI.html
You CAN use as many SSL secured websites as you want using the same IP address (with SNI and certificate store) but you need to add a hostname to the bindings in IIS for each site. I was trying to avoid this since it would mean manually adding them for over 300 sites (x6 servers) but that is just the way things are.
I can now use appcmd to assign the bindings but need a way to programatically enable SNI and Central Cert Store, hence the new question. I will leave this open for a bit in case you all have any further insight into this topic.
https://www.experts-exchange.com/questions/28623843/APPCMD-to-enable-central-certificate-store-and-SNI.html
You CAN use as many SSL secured websites as you want using the same IP address (with SNI and certificate store) but you need to add a hostname to the bindings in IIS for each site. I was trying to avoid this since it would mean manually adding them for over 300 sites (x6 servers) but that is just the way things are.
I can now use appcmd to assign the bindings but need a way to programatically enable SNI and Central Cert Store, hence the new question. I will leave this open for a bit in case you all have any further insight into this topic.
That's exactly what I was referring to by "host headers" in my comment. I'm glad you now have an understanding of how that works.
I don't have any experience in automating what you need todo form here but I bet powershell will be the way.
I don't have any experience in automating what you need todo form here but I bet powershell will be the way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We found the solution with the help of one of our technicians here. It has been documented for future reference.