Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IIS 8 SSL Certificates not assigning to proper site in Certificate Store

Posted on 2015-02-23
12
Medium Priority
?
693 Views
Last Modified: 2015-03-07
We have 6 web servers all running 2012 R2 and IIS 8.  They all run the same website with a wildcard certificate *.ourdomain.com that works great.  Most of our clients use name.ourdomain.com for their websites on our platform so our cert covers 99% of them.

We have some clients who like to use their own custom domain on our system and that is where we have run into some issues.  I set up a "certificate store" for client certs and we have added the client's certificates there.  Our wildcard cert is bound individually to each of the 6 web servers in the traditional way, because the certificate store requires a hostname, which defeats the purpose of a wildcard.  Also SNI does not help us with the wildcard cert either, I have read that it is better not to use it in our situation with wildcards but I may be wrong.  Enabling it does not fix this issue.

When assigning/binding the certificate store cert to the client's website using name.clientdomain.com, it seems to take over all the ssl traffic regardless of the hostname requested and our main site breaks.  Is there a better way to set this up?  Do I need to assign separate IP addresses like we did back in IIS7?  I want to avoid that since it eats up 6 IP's for each client and they would fill up fast.

Or should I assign one block of IP's for the wilcard and one block for the shared certificate store certs?

Thanks for your help I hope that all makes sense.
0
Comment
Question by:bobbailey22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40628245
Only one certificate can be bound to an IPAddress/Port.  So,... you need to either assign additional IPs for each site using a different certificate, or start moving those sites to 'other' ports, which is rarely agreeable.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40628274
To Rich's point, you must have multiple public IPs available to impement it.

Ip1:443 => lanip1:443
Ip2:443 => lanip2:443 or lanip1:1234
Ip3:443 => lanip3:443 or lanip1:2345
0
 

Author Comment

by:bobbailey22
ID: 40628594
Thanks guys, that is what I thought.  I should be able to share an IP for the certificate store though, correct?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 79

Expert Comment

by:arnold
ID: 40628752
The certificate store is computer/user/service not IP based.
You can assign a certificate from a store with the correct function to ....... a service that is bound to an IP:port.
0
 

Author Comment

by:bobbailey22
ID: 40628849
So if I am understanding properly, as long as our clients don't have a wildcard certificate, we can use the cert store on a different set of IP addresses on our 6 servers with as many certs as required?

Wildcard bindings: x.x.x.1-6   *.ourdomain.com
Cert store bindings: x.x.x.7-12 unlimited certs on   name.client.com
Future wildcard certificates: x.x.x.13-18 and so on..  *.newclient.com

Correct?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40628870
I'm not certain where the requirements for six IP addresses per certificate comes from... but assuming that part is correct, your scheme appears correct.  (That is, you're not attempting to bind two different certificates on the same IP.)
(Edit: Wait!  I see where the requirement for six IPs come from... you have six servers.  Sorry about that.  Yes!  That definitely looks right then.)
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 1000 total points
ID: 40628920
without SNI the same cert is used for an IP/Port even though you use host headers to serve multiple websites. So you are supposed to force SNI for your sites using other certs.
0
 

Author Comment

by:bobbailey22
ID: 40629400
Ok I am going to assign six new IP addresses for the shared store to use.  I will update once that is done.

Do you know if unified certs work with the cert store for their 5 hostnames?
0
 

Author Comment

by:bobbailey22
ID: 40629731
So after digging into this further I have found that there are some changes in IIS 8 in regard to multiple sites sharing an IP address.  I do not need to add new IP addresses to my servers.  I was just setting it up wrong.  I have posted a new, unrelated question here in case any of you can offer insight:

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_28623843.html

You CAN use as many SSL secured websites as you want using the same IP address (with SNI and certificate store) but you need to add a hostname to the bindings in IIS for each site.  I was trying to avoid this since it would mean manually adding them for over 300 sites (x6 servers) but that is just the way things are.

I can now use appcmd to assign the bindings but need a way to programatically enable SNI and Central Cert Store, hence the new question.  I will leave this open for a bit in case you all have any further insight into this topic.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40629919
That's exactly what I was referring to by "host headers" in my comment. I'm glad you now have an understanding of how that works.

 I don't have any experience in automating what you need todo form here but I bet powershell will be the way.
0
 

Accepted Solution

by:
bobbailey22 earned 0 total points
ID: 40640325
Here is the proper way to add bindings using SNI and CCS

How to Configure Bindings in IIS 8 using Server Name Indication(SNI) and Central Certificate Store(CCS).
*This must be done this way to ensure all the necessary registry keys are created.
Located : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo

1: Choose web site in IIS.  Go to Bindings Menu and Add a new binding.
2: Enter the following info:
A.      Type: Http
B.      IP Address: All Unassisgned
C.      Port: 80
D.      HostName: www.temporary.com
3: Click OK to save binding
4: Click Add to add another binding with the following info:
A.      Type: Https
B.      IP Address: All Unassigned
C.      Port 443
D.      hostname: www.temporary.com
E.      Check “Require Server Name Indication” & “Use Centralized Certificate Store”
5: Click OK to save SSL binding.
6: Browse to:  C:\Windows\System32\inetsrv\config on local server.
7:  Open “applicationHost.config” file in notepad
8: Browse to the “<sites>” section and locate the relevant site name: “domain.com”
9: Located the Bindings that you created from the GUI.  Will be in this format:
<binding protocol="https" bindingInformation="*:443:www.temporary.com" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:www.temporary.com" />
10: Remove the host info from the binding so that it now looks like this:
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:" />
11: Save File and close
12: Open the Bindings menu from IIS and confirm that the host value is now removed.  Restart IIS.
0
 

Author Closing Comment

by:bobbailey22
ID: 40650704
We found the solution with the help of one of our technicians here.  It has been documented for future reference.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question