Solved

IIS 8 SSL Certificates not assigning to proper site in Certificate Store

Posted on 2015-02-23
12
331 Views
Last Modified: 2015-03-07
We have 6 web servers all running 2012 R2 and IIS 8.  They all run the same website with a wildcard certificate *.ourdomain.com that works great.  Most of our clients use name.ourdomain.com for their websites on our platform so our cert covers 99% of them.

We have some clients who like to use their own custom domain on our system and that is where we have run into some issues.  I set up a "certificate store" for client certs and we have added the client's certificates there.  Our wildcard cert is bound individually to each of the 6 web servers in the traditional way, because the certificate store requires a hostname, which defeats the purpose of a wildcard.  Also SNI does not help us with the wildcard cert either, I have read that it is better not to use it in our situation with wildcards but I may be wrong.  Enabling it does not fix this issue.

When assigning/binding the certificate store cert to the client's website using name.clientdomain.com, it seems to take over all the ssl traffic regardless of the hostname requested and our main site breaks.  Is there a better way to set this up?  Do I need to assign separate IP addresses like we did back in IIS7?  I want to avoid that since it eats up 6 IP's for each client and they would fill up fast.

Or should I assign one block of IP's for the wilcard and one block for the shared certificate store certs?

Thanks for your help I hope that all makes sense.
0
Comment
Question by:bobbailey22
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40628245
Only one certificate can be bound to an IPAddress/Port.  So,... you need to either assign additional IPs for each site using a different certificate, or start moving those sites to 'other' ports, which is rarely agreeable.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40628274
To Rich's point, you must have multiple public IPs available to impement it.

Ip1:443 => lanip1:443
Ip2:443 => lanip2:443 or lanip1:1234
Ip3:443 => lanip3:443 or lanip1:2345
0
 

Author Comment

by:bobbailey22
ID: 40628594
Thanks guys, that is what I thought.  I should be able to share an IP for the certificate store though, correct?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40628752
The certificate store is computer/user/service not IP based.
You can assign a certificate from a store with the correct function to ....... a service that is bound to an IP:port.
0
 

Author Comment

by:bobbailey22
ID: 40628849
So if I am understanding properly, as long as our clients don't have a wildcard certificate, we can use the cert store on a different set of IP addresses on our 6 servers with as many certs as required?

Wildcard bindings: x.x.x.1-6   *.ourdomain.com
Cert store bindings: x.x.x.7-12 unlimited certs on   name.client.com
Future wildcard certificates: x.x.x.13-18 and so on..  *.newclient.com

Correct?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40628870
I'm not certain where the requirements for six IP addresses per certificate comes from... but assuming that part is correct, your scheme appears correct.  (That is, you're not attempting to bind two different certificates on the same IP.)
(Edit: Wait!  I see where the requirement for six IPs come from... you have six servers.  Sorry about that.  Yes!  That definitely looks right then.)
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points
ID: 40628920
without SNI the same cert is used for an IP/Port even though you use host headers to serve multiple websites. So you are supposed to force SNI for your sites using other certs.
0
 

Author Comment

by:bobbailey22
ID: 40629400
Ok I am going to assign six new IP addresses for the shared store to use.  I will update once that is done.

Do you know if unified certs work with the cert store for their 5 hostnames?
0
 

Author Comment

by:bobbailey22
ID: 40629731
So after digging into this further I have found that there are some changes in IIS 8 in regard to multiple sites sharing an IP address.  I do not need to add new IP addresses to my servers.  I was just setting it up wrong.  I have posted a new, unrelated question here in case any of you can offer insight:

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_28623843.html

You CAN use as many SSL secured websites as you want using the same IP address (with SNI and certificate store) but you need to add a hostname to the bindings in IIS for each site.  I was trying to avoid this since it would mean manually adding them for over 300 sites (x6 servers) but that is just the way things are.

I can now use appcmd to assign the bindings but need a way to programatically enable SNI and Central Cert Store, hence the new question.  I will leave this open for a bit in case you all have any further insight into this topic.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40629919
That's exactly what I was referring to by "host headers" in my comment. I'm glad you now have an understanding of how that works.

 I don't have any experience in automating what you need todo form here but I bet powershell will be the way.
0
 

Accepted Solution

by:
bobbailey22 earned 0 total points
ID: 40640325
Here is the proper way to add bindings using SNI and CCS

How to Configure Bindings in IIS 8 using Server Name Indication(SNI) and Central Certificate Store(CCS).
*This must be done this way to ensure all the necessary registry keys are created.
Located : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo

1: Choose web site in IIS.  Go to Bindings Menu and Add a new binding.
2: Enter the following info:
A.      Type: Http
B.      IP Address: All Unassisgned
C.      Port: 80
D.      HostName: www.temporary.com
3: Click OK to save binding
4: Click Add to add another binding with the following info:
A.      Type: Https
B.      IP Address: All Unassigned
C.      Port 443
D.      hostname: www.temporary.com
E.      Check “Require Server Name Indication” & “Use Centralized Certificate Store”
5: Click OK to save SSL binding.
6: Browse to:  C:\Windows\System32\inetsrv\config on local server.
7:  Open “applicationHost.config” file in notepad
8: Browse to the “<sites>” section and locate the relevant site name: “domain.com”
9: Located the Bindings that you created from the GUI.  Will be in this format:
<binding protocol="https" bindingInformation="*:443:www.temporary.com" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:www.temporary.com" />
10: Remove the host info from the binding so that it now looks like this:
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:" />
11: Save File and close
12: Open the Bindings menu from IIS and confirm that the host value is now removed.  Restart IIS.
0
 

Author Closing Comment

by:bobbailey22
ID: 40650704
We found the solution with the help of one of our technicians here.  It has been documented for future reference.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now