How to configure a default web site for https using SNI and CCS

ssl https binding iis-8.5 sni

28,460

Case resolved!

1) First I used IIS to create a bogus SSL binding in the default web site for www.whatever.com, using SNI and CCS.

2) Then I manually edited this bogus binding entry in the applicationHost.config file as follows:

FROM:

<binding protocol="https" bindingInformation="*:443:www.whatever.com" sslFlags="3" />

TO:

<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />

3) Finally, I sent my certificates to the CCS folder. After about 5 minutes, the new SSL sites were automatically activated by IIS.

In other words, I got a default web site for SSL, using many certificates in the same IP and without creating a binding for each one!

This is great!!!

28,460

Author by

Guilherme Rudnitzki

Updated on March 07, 2020

Comments

Guilherme Rudnitzki over 4 years

We use IIS8.5 with only the default web site configured, but with thousands of domains pointing to it on the same load-balanced IP.

We are planning to offer https (SSL) for all these thousands of domains. All .pfx certificates will be stored in a Central Certificate Store (CCS) and will bound to the same web site, using the same IP, thanks to the Server Name Indication (SNI) feature.

SNI and CCS works fine for this purpose, but only if we add a explicit bidding for each domain in the default web site, which is not practical for thousands of domains:

        <site name="Default Web Site" id="1">
            <application path="/">
                <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
            </application>
            <bindings>
                <binding protocol="http" bindingInformation="*:80:" />
                <binding protocol="https" bindingInformation="*:443:www.domain1.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.domain2.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.domain3.com.br" sslFlags="3" />
                ...
                ...
                ...
                <binding protocol="https" bindingInformation="*:443:www.otherdomain9998.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.otherdomain9999.com.br" sslFlags="3" />
                ...
            </bindings>
        </site>

I tryed to configure a default https protocol binding, in the same way of the default http protocol binding and using sslFlags="3", which means SNI+CCS:

        <site name="Default Web Site" id="1">
            <application path="/">
                <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
            </application>
            <bindings>
                <binding protocol="http" bindingInformation="*:80:" />
                <binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
            </bindings>
        </site>

With the above configuration, no SSL certificate is served to any browser.

Is ther any other way of configuring a default web site for https using SNI and CCS?

I would really appreciate any help in pointing me to the right direction.

Thank you!

Guilherme