Tech Off Thread

7 posts

IIS, SSL Certificates, and hostheaders

Back to Forum: Tech Off
  • User profile image
    W3bbo

    Suppose you've got an SSL certificate for "foo.com" and you've got an IIS website which serves requests for both "www.foo.com" and "foo.com"

    Now any request for "https://www.foo.com" would give errors since the cert was issued to foo.com and not www.foo.com.

    What's the best way around this besides ordering a Wildcard SSL certificate? Is there any way to get IIS to automatically redirect all requests to www.foo.com to foo.com or something?

    Or if I've got 2 certificates, one for "www.foo.com" and one for "foo.com" is there any way to make them work together for the same website?

  • User profile image
    Matthew van Eerde

    Yes - you can configure multiple IP addresses on the server and have foo.com and www.foo.com bind to different IP addresses.

    As I understand common-or-garden SSL, the security is put in place before the Host: header is available, so the header cannot be used to to determine which certificate is appropriate.  TLS avoids this issue, but I'm not sure how.

  • User profile image
    W3bbo

    Matthew van Eerde wrote:
    Yes - you can configure multiple IP addresses on the server and have foo.com and www.foo.com bind to different IP addresses.


    Not really an option, I've only got 1 IP address.

    But for now it'll have to do until I can afford a wildcard cert. Ah well.

  • User profile image
    Matthew van Eerde

    Another option is to use a non-default port for the second SSL binding... you'll have to use URLs of the form https://foo.com:1337/ but the security will be preserved.

  • User profile image
    W3bbo

    Matthew van Eerde wrote:
    

    Another option is to use a non-default port for the second SSL binding... you'll have to use URLs of the form https://foo.com:1337/ but the security will be preserved.



    That's not what I'm after though.

    My cert is for "foo.com", and that's it. Yet people expect websites to be at "www.foo.com". The same virtual server serves requests for both "foo.com" and "www.foo.com". Since the host-headers are different than the cert my visitors get a warning.

    I'm trying to eradicate the warning Smiley I can get a second SSL for "www.foo.com" in addition to my cert for "foo.com", but I can't see if/where/how IIS supports multiple certs per single instance of a virtual server.

  • User profile image
    Dodo

    Hmmm you could try to redirect without even sending out the SSL certificate, and on the destination use SSL again.

    So basically you'd have a non SSL vhost answering at port 443 and redirecting to the other vhost.

  • User profile image
    Jorgie

    Host headers cannot be used for SSL because the setup of the SSL connection takes place when only the requested IP address is available to IIS.

    The best you can do with a single IP address is set up a non-SSL website for the host header www.foo.com and have it redirect to https://foo.com

    This will work fine if people type www.foo.com in their browser as long as they dont type the HTTPS in front.

    BTW the option you want is: "A permanent redirection for this resource"

    Jorgie

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.