Hosting multiple SSL enabled domains off a single address with SNI on Windows

Server Name Indication, or SNI, allows web servers to take requests for multiple sites secured by SSL without the need to have a separate IP addresses for each certificate. This functionality is supported by Apache, Nginx, and Microsoft IIS, which are the most commonly used web servers. This article will cover how to add a site that uses SNI on IIS for Windows Server 2012. For instructions on Apache or Nginx on a Linux system, please look here instead.

Prerequisites

  • A Windows Server 2012 Server
  • IIS 8.0 or newer (Windows Server 2012+)
  • Valid SSL certificates that correspond to the sites you will be adding

Install your certificates

Note: Your Windows server may not have its IIS components installed by default. If you don’t see IIS server manager as an available option in step 1, go back to the Server Manager dashboard and add the “WebServer (IIS)” role to install IIS from there.

IIS 8.0 and newer versions include support for SNI by default.This makes the process of setting up multiple certificates almost the exact same as setting up a single certificate.

In the steps outlined here, you’ll place a copy of your certificate file on the server, add it to corresponding certificate store, and bind the certificate to this site, within IIS.

  1. From the Start menu, click Run.
  2. In the Run window, type mmc and click OK.
  3. In the Console window, in the menu at the top, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates, then click Add.
  5. In the Certificates snap-in window, select Computer account, then click Next.
  6. In the Select Computer window, select Local computer: (computer this console is running on) and then, click Finish.
  7. In the Add or Remove Snap-ins window, click OK.
  8. In the Console window, in the Console Root section, expand Certificates (Local Computer).
  9. Right-click on the Personal folder and then, click All Tasks > Import to open the Certificate Import Wizard.
  10. On the Welcome to the Certificate Import Wizard page, click Next.
  11. Follow the instructions in the certificate import wizard to import your certificate .
  12. On the Certificate Store page, select Automatically select the certificate store based on the type of certificate.
  13. On the Completing the Certificate Import Wizard page, verify the information is correct and click Finish.
  14. You should receive “The import was successful” message.
  15. After you import the SSL Certificate .pfx file, you are ready to bind the certificate to the site within IIS.

Bind your HTTPS websites to your IP address

  1. First, open the IIS server manager. You can find this under Administrative tools in your start menu (or StartRun → type “inetmgr” in the command prompt with no quotes and hit enter)
  2. Under the Connections section, expand your server’s hostname, then expand sites, to see a list of your existing sites.
  3. Right click on the site and select Edit Bindings.
  4. Within the Site Bindings dialog, click “Add” on the right hand side. In the add dialog, select HTTPS as the type, and 443 as the port. For the IP address, you can either leave it to “All Unassigned” or select the IP the server will listen on for the site.
  5. Enter site/domain name for the host name.
  6. Check the box, Require Server Name Indication.
  7. Finally, select the corresponding certificate from the drop down menu and select OK. The certificate is now installed and bound to the site.
  8. To add additional sites using the same IP, just repeat the above steps, adding a new site with an HTTPS binding, hostname (domain name) and assign the corresponding certificate for that domain name.

Once completed for all your certificates and sites, the server should direct clients to your sites based on the given hostname (domain name). Any requests that the server does not understand will route to the default site.

Leave a Reply

Your email address will not be published. Required fields are marked *