IIS7: can't set host name on site with SSL cert and port 443
Solution 1
You can't do it from the UI, you have to do it from the command line. Here's a nice walk through of the process:
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html
Solution 2
Its does work in GUI...
Just make sure the the 'friendly name' of the cert you are installing is the same as the multidomainname you have made for the cert.
ie. *.companydomain.com
if you put in 'Nice friendly name' for *.companydoman.com cert, when installing the cert into IIS, it will grey out the host name header box.
If you use *.companyname.com as the friendly name, you're golden.
Boom.
Solution 3
The short answer is that each IP can only have one certificate bound to it, so the certificate binding is going to apply no matter what hostname is directed to that IP address. Being able to specify a hostname would imply that you can have multiple hostname and certificate combinations on the same IP address and port (as you can with non-SSL entries), but this is not the case, so the field is unavailable.
The more complete explanation is that SSL encrypts your traffic, and part of that traffic is the HTTP headers sent by the browser to the server. One of those headers would be the "Host" header which IIS uses to determine which site to load up with the request. Since the certificate needs to be loaded to establish the secure connection BEFORE the request headers are sent, IIS has to select the certificate based only upon the IP address and port number, leaving the "Host" header out in the cold as a factor in determining which site to load, so they don't let you enter one.
Here is an article which outlines the inner workings of the SSL connection in finer detail.
Solution 4
The SSLShopper answer did not work for me because it left the binding without the host header, and you couldn't remove that binding without breaking the connection to the certificate. Here is the method I used to get it to work:
Please note that this answer assumes that your certificate has already been generated, added to the certificate store, and added to IIS. It also assumes you do not want any other bindings to your website besides the SSL one.
First, we need to gather some information. We need the hash, the application ID and the host name.
Steps
- Open IIS, select your server and double click on "Server Certificates" in the bottom section. Note the "Issued To" address. This is our host name. Save this.
- Select your site
- Bind your site to port 80 using the http protocol
- Remove all other bindings
- Bind your site to port 443 using the https protocol
Open a command prompt
netsh http show sslcert
Save the Certificate Hash and the Application ID
- Remove the https binding on your site
At the command prompt:
netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>} appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']
Note: Appcmd.exe can be found in C:\Windows\System32\inetsrv. You may need to be in that folder for this command to work.
- Remove the http binding from your site
Solution 5
The accepted answer here is confusing and I don't think it's correct for the question. It shouldn't be the accepted answer.
The problem
You have a wildcard SSL such as *.ipsum.com
and the certificate is installed but you can't choose a host name for the site in IIS when you try to add an HTTPS binding because the text box is greyed out.
The solution
Your wildcard SSL can be used with any subdomain, you just need to make sure you start the Friendly Name of the certificate with *
. I prefer to use the same friendly name as the wildcard domain, e.g. *.ipsum.com
but you can call it anything that beings with the asterix: *foo
I gave my certificate the wrong Friendly Name, help!
Since Windows 8 or Server 2012, you can type certlm.msc
in the start menu to manage certificates for the local machine. On previous versions of windows you will need to do something slightly more convoluted:
- Run
mmc.exe
from start - Go to
File
menu and chooseAdd/Remove Snap-in...
or hit(Ctrl-M)
- Highlight the
Certificates
snap-in and hitAdd >
then chooseComputer Account
followed byLocal Computer
in the subsequent dialogs then hitFinish
followed byOK
to close the Snap-ins window
In the main window, expand Certificates (Local Computer)
then Personal
then Certificates
and you will be able to right-click the certificate, hit Properties
where you can update the friendly name.
Close and open IIS Manager and you can then set your host name.
Related videos on Youtube
p.campbell
Developer in the Microsoft .NET & SQL Server stack. I am focused on delivering great applications in small iterations. I've developed solutions in the healthcare, manufacturing, and transportation verticals. My open source projects on GitHub. Continuously learning.
Updated on September 17, 2022Comments
-
p.campbell over 1 year
Consider a Win 2008 SP2 machine with IIS7. The task is to apply a certificate and host name to the one and only Site on this machine. The site's host headers need to be
abc.123.example.com
The first step was installing the .pfx to the Personal Store, which was successful.
IIS7 finds the cert as available, but won't allow the entry of a host name. The host name textbox is ALWAYS disabled/greyed out, even before selecting my cert. I've even deleted the default port 80 binding.
Question: how can I set a host name for this site? Is it a matter of this cert being a wildcard cert? I understand that the SSL request comes into the web server, and the host header in the packet is encrypted. Why then would IIS6 allow the host header to be specified, but IIS7 not?
Update: The cert isn't part of the problem. I've created a new Site on the machine, and when choosing https binding, the host name textbox is disabled.
-
p.campbell over 14 yearsThanks for this answer, Justin. I am still unsure why IIS7 doesn't let me specify a host header, even when I pick one of the IP addresses in the list. IIS6 does without any problems. As mentioned, this is the one and only site on the machine.
-
davidcl over 14 yearsDoesn't apply to IIS 7.
-
raja over 14 yearsthat's odd since it worked when we did it...
-
russau almost 14 yearshandy trick, give the cert a friendly name starting with '*' an IIS won't gray out the host-header box: blog.armgasys.com/?p=80
-
russau almost 14 yearsHost headers can work with a wildcard cert, or a multi-domain "UC" cert: sslshopper.com/unified-communications-uc-ssl-certificates.html. In this case the server only has 1 cert to serve even tho there is multiple hostnames.
-
Garrett over 11 yearsThank you for this tip! In case anybody else can't rename a cert from IIS (can anybody?) you can rename the cert in the MMC snap-in for Certificates. Just load MMC, add Certificates snap-in, select Computer Account, Local Computer. Once you've loaded the Certificates snap-in you can browse to Certiifcates (Local Computer) > Personal > Certificates and right click to select Properties on your cert. Change the Friendly name field to *.yoursite.com and reload the IIS manager snap-in
-
potatopeelings about 8 yearsThanks! This helped me finally get my site working in HTTPS. I corrected a typo in one of the commands, but I had to add the Steps heading to get past the minimum length requirements. Feel free to remove that - your original answer is easy to follow. Cheers!
-
Joe Phillips almost 8 yearsThis is the real answer. Nice
-
Dan Solovay over 6 yearsVery clear explanation. +1
-
Kreker almost 6 yearsIt did the trick!
-
nesu almost 6 yearsThis worked for me with a certificate with 6 SANs (not a wildcard certificate) with a slight variation because I had multiple sites. I had to do steps 1 to 7 once. Step 8 had to be done on each site. The first command of step 9 had to be done once and the second command of step 9 had to be done once per site.
-
Brian Pursley almost 6 yearsI know this is old, and it is only in a comment, but this handy trick saved me some frustration. Thank you!
-
Charles Robertson over 4 years@Garrett Does this mean that if I have used a friendly name like 'My Domain SSL', things will still work, even though the host name field is blank. It really freaked me out when I lost my host names, but my 4 wildcard sub domains seem to work fine with the reissued SSL? Clearly using '*.mydomain.com' as a friendly name just allows you to see the host name, but under the hood, both options should work. Otherwise, IIS should be explicitly telling us to use a qualified domain name & not a friendly name?
-
Charles Robertson over 4 years@Zac Awesome. Awesome. Awesome. Although I don't actually think it matters if the host name field is blank, it gave me more peace of mind. Please bear in mind, that I was re-issueing my certificate. So my host name was already in the host name field before it went blank. My wildcard SSL seemed to work with either a friendly name or .*mydomain.com type name. I think IIS keeps an internal record of the host name, after the host name field goes blank. I thought I should mention this, in case people are freaking out!
-
Charles Robertson over 4 years@Zac Oh. And this solution works on dinosaur servers like Windows 2008R2...
-
Zac over 4 years@CharlesRobertson very glad this helped, and thanks for adding that supplementary info!
-
NiKiZe about 4 yearsSince you clearly can do this from the UI, (see other answer) this answer should be removed, or at least updated.
-
NiKiZe about 4 yearsThis is not true in later versions of IIS that support
SNI
-
joeqwerty about 4 years
1.
You can't add a host header in the way the OP needed to, as pointed out in the answer you're referring to.2.
This question and answer are 11 years old. Nobody is looking at this question and answer any longer.