Wildcard Host Header + SSL ?

I blogged about wildcard host header a while ago, and recently I read couple of postings regarding wildcard host header + SSL support. Wildcard SSL cert is supported by Microsoft, starting with IIS 5 (I think it works with IIS4 as well, but not tested). It works with the concept of a wildcard CN or common name as stated in this KB (Accepted wildcards used by server certificates for server authentication). The catch here is that each wildcard SSL cert is bind to a unique IP address, and it's not really working with host header. why? coz it just can't! due to the host header info is part of the encrypted data as describe in this KB (HTTP 1.1 host headers are not supported when you use SSL). So, just to be clear so that you are not confused. IIS supports both technologies in a 'way' but not mixing both as one feature that IIS supports.

In short, you can have host header + SSL for a specific website. On the other hand, for wildcard SSL site, you basically don't need host header already as the SSL binding is tight to the website IP address. Now, how can you have host header with SSL in IIS website ? (take note - this is normal host header, not wildcard)
Step 1: Get a wildcard SSL cert. Many commercial CA like Verisign, Thwate, etc support wildcard SSL cert. Just ensure that you are specifying *.yourdomain.com as the common name of the cert.
Step 2: Install the wildcard SSL cert to the website.
Step 3: Configure SSL port. Use SecureBindings metabase key. E.g.
cscript.exe adsutil.vbs set /w3svc/websiteID/SecureBindings "ip.ip.ip.ip:443:header.yourdomain.com"

Take note that, we specify the host header value in SecureBindings settings. So how about wildcard host header + SSL? well, I haven't tested this. But I would assume that it will work if you have 'blank' host header + wildcard * DNS A record + a wildcard SSL cert that bind to that specific IP address.

Say, you have 2 domains. You config will look something like this
Site 1: fa.com
host header
SSL Cert: *.fa.com
IP/Port: 192.168.10.1:80
SSL IP/Port: 192.168.10.1:443

Site 2: fb.com
SSL Cert: *.fb.com
host header
IP/Port: 192.168.10.2:80
SSL IP/Port: 192.168.10.2:443

hence, with wildcard dns entry for fa.com domain. A http query (e.g. iis.fa.com) to fa.com will be served at port 80, while https://ssl.fa.com will be taken care by port 443 + the *.fa.com wildcard cert.

Confuse ?  ....  :)

Published Wed, May 25 2005 15:41 by bernard
Filed under: ,

Comments

# bernard said on 30 May, 2005 10:17 AM
Cool posting.

I've been successful with WildCard SSL + wildcard DNS on an IIS virtual server hosting SharePoint in host header mode otherwise known as scalable hosting. It's worked well and now is supporting around 1000 unique subdomains.

Example:

DNS & SSL Cert:
https://*.team.domain.com

SiteName:
https://site.team.domain.com

The IIS WebSite/Virtual Server is not IP bound in this case as SharePoint does not support IP binding. It's the only IIS Virtual server on the box in a 2 node cluster.
# bernard said on 30 May, 2005 05:29 PM
Thanks for sharing Joel. That's the trick with *.subdomain.com wildcard cert :)
# Server: Microsoft-IIS/7.0\r\n said on 12 October, 2006 11:04 PM

Starting Windows 2003 SP1, you will be able to configure SSL with your host header websites . I'm

News

Search

Go

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication