Solved

IIS 8 SSL Certificates not assigning to proper site in Certificate Store

Posted on 2015-02-23
12
428 Views
Last Modified: 2015-03-07
We have 6 web servers all running 2012 R2 and IIS 8.  They all run the same website with a wildcard certificate *.ourdomain.com that works great.  Most of our clients use name.ourdomain.com for their websites on our platform so our cert covers 99% of them.

We have some clients who like to use their own custom domain on our system and that is where we have run into some issues.  I set up a "certificate store" for client certs and we have added the client's certificates there.  Our wildcard cert is bound individually to each of the 6 web servers in the traditional way, because the certificate store requires a hostname, which defeats the purpose of a wildcard.  Also SNI does not help us with the wildcard cert either, I have read that it is better not to use it in our situation with wildcards but I may be wrong.  Enabling it does not fix this issue.

When assigning/binding the certificate store cert to the client's website using name.clientdomain.com, it seems to take over all the ssl traffic regardless of the hostname requested and our main site breaks.  Is there a better way to set this up?  Do I need to assign separate IP addresses like we did back in IIS7?  I want to avoid that since it eats up 6 IP's for each client and they would fill up fast.

Or should I assign one block of IP's for the wilcard and one block for the shared certificate store certs?

Thanks for your help I hope that all makes sense.
0
Comment
Question by:bobbailey22
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40628245
Only one certificate can be bound to an IPAddress/Port.  So,... you need to either assign additional IPs for each site using a different certificate, or start moving those sites to 'other' ports, which is rarely agreeable.
0
 
LVL 77

Expert Comment

by:arnold
ID: 40628274
To Rich's point, you must have multiple public IPs available to impement it.

Ip1:443 => lanip1:443
Ip2:443 => lanip2:443 or lanip1:1234
Ip3:443 => lanip3:443 or lanip1:2345
0
 

Author Comment

by:bobbailey22
ID: 40628594
Thanks guys, that is what I thought.  I should be able to share an IP for the certificate store though, correct?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 77

Expert Comment

by:arnold
ID: 40628752
The certificate store is computer/user/service not IP based.
You can assign a certificate from a store with the correct function to ....... a service that is bound to an IP:port.
0
 

Author Comment

by:bobbailey22
ID: 40628849
So if I am understanding properly, as long as our clients don't have a wildcard certificate, we can use the cert store on a different set of IP addresses on our 6 servers with as many certs as required?

Wildcard bindings: x.x.x.1-6   *.ourdomain.com
Cert store bindings: x.x.x.7-12 unlimited certs on   name.client.com
Future wildcard certificates: x.x.x.13-18 and so on..  *.newclient.com

Correct?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40628870
I'm not certain where the requirements for six IP addresses per certificate comes from... but assuming that part is correct, your scheme appears correct.  (That is, you're not attempting to bind two different certificates on the same IP.)
(Edit: Wait!  I see where the requirement for six IPs come from... you have six servers.  Sorry about that.  Yes!  That definitely looks right then.)
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 250 total points
ID: 40628920
without SNI the same cert is used for an IP/Port even though you use host headers to serve multiple websites. So you are supposed to force SNI for your sites using other certs.
0
 

Author Comment

by:bobbailey22
ID: 40629400
Ok I am going to assign six new IP addresses for the shared store to use.  I will update once that is done.

Do you know if unified certs work with the cert store for their 5 hostnames?
0
 

Author Comment

by:bobbailey22
ID: 40629731
So after digging into this further I have found that there are some changes in IIS 8 in regard to multiple sites sharing an IP address.  I do not need to add new IP addresses to my servers.  I was just setting it up wrong.  I have posted a new, unrelated question here in case any of you can offer insight:

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_28623843.html

You CAN use as many SSL secured websites as you want using the same IP address (with SNI and certificate store) but you need to add a hostname to the bindings in IIS for each site.  I was trying to avoid this since it would mean manually adding them for over 300 sites (x6 servers) but that is just the way things are.

I can now use appcmd to assign the bindings but need a way to programatically enable SNI and Central Cert Store, hence the new question.  I will leave this open for a bit in case you all have any further insight into this topic.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40629919
That's exactly what I was referring to by "host headers" in my comment. I'm glad you now have an understanding of how that works.

 I don't have any experience in automating what you need todo form here but I bet powershell will be the way.
0
 

Accepted Solution

by:
bobbailey22 earned 0 total points
ID: 40640325
Here is the proper way to add bindings using SNI and CCS

How to Configure Bindings in IIS 8 using Server Name Indication(SNI) and Central Certificate Store(CCS).
*This must be done this way to ensure all the necessary registry keys are created.
Located : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo

1: Choose web site in IIS.  Go to Bindings Menu and Add a new binding.
2: Enter the following info:
A.      Type: Http
B.      IP Address: All Unassisgned
C.      Port: 80
D.      HostName: www.temporary.com
3: Click OK to save binding
4: Click Add to add another binding with the following info:
A.      Type: Https
B.      IP Address: All Unassigned
C.      Port 443
D.      hostname: www.temporary.com
E.      Check “Require Server Name Indication” & “Use Centralized Certificate Store”
5: Click OK to save SSL binding.
6: Browse to:  C:\Windows\System32\inetsrv\config on local server.
7:  Open “applicationHost.config” file in notepad
8: Browse to the “<sites>” section and locate the relevant site name: “domain.com”
9: Located the Bindings that you created from the GUI.  Will be in this format:
<binding protocol="https" bindingInformation="*:443:www.temporary.com" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:www.temporary.com" />
10: Remove the host info from the binding so that it now looks like this:
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:" />
11: Save File and close
12: Open the Bindings menu from IIS and confirm that the host value is now removed.  Restart IIS.
0
 

Author Closing Comment

by:bobbailey22
ID: 40650704
We found the solution with the help of one of our technicians here.  It has been documented for future reference.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question