Host Headers, Secure Site Bindings, and SSL

Background

For IIS 6, see this page on configuring SSL host headers in IIS 6.

Host headers are used to host multiple secure websites on one IP address. If you use host headers with a regular SSL Certificate the same certificate must be used for every site that is secured. If multiple SSL Certificates are used, the server usually has a problem with providing the correct SSL Certificate when an HTTPS connection is established, causing a certificate name error

However, if you use host headers in combination with certificates that can cover more than one website (wildcard or UC certificates) you can secure multiple sites on one IP.

A wildcard certificate secures any subdomain of the domain that it was issued to. For example, a DigiCert® Wildcard Plus™ Certificate that is issued to *.domain.com will cover something.domain.com, anything.domain.com, and whatever.domain.com. Because the *.domain.com certificate is valid on any of these domains, you will not receive an error message.

Similarly, a single DigiCert Unified Communications Certificate can secure multiple fully-qualified domain names. And, contrary to popular belief, UC certificates are compatible with almost all major server types. The difference between UC certificates and wildcard certificates is that while wildcards work on multiple websites because of the * character in the domain name, UC certificates include a Subject Alternative Name (SAN) field that allows the certificate to include multiple names. For example, a UC certificate can include www.domain.com, www.domain2.com, www.domain3.com, and mail.domain3.com. The certificate could then be installed to all four sites. When connecting to any of those sites, a browser will check the name that it is connecting to against the list of SAN names in the certificate. As long as a valid match is found, no error message is displayed.

There are two ways to set up host headers in IIS 7. We recommend using the DigiCert Utility and the IIS 7 GUI to set up the host headers and site bindings. However, you can also cofigure SSL host headers using the command line. Instructions for both methods are listed below.

Setting Up Host Headers in IIS 7 Using the DigiCert Utility

To set up host headers in IIS 7, you need to format the friendly name to start with an * character. With our DigiCert Certificate Utility this is very easy. Once you format the friendly name you can set up host headers and site bindings. If the friendly name doesn't have a * character you'll have to use the command line to configure SSL host headers to use your SSL Certificate on multiple websites.

Formatting the Friendly Name

  1. Download and run the DigiCert Certificate Utility on your IIS server.

  2. In the utility, right-click your certificate and click Edit Friendly Name.

    IIS 7 Host Headers Edit Friendly Name

  3. The friendly name can be anything you want as long as it starts with an *.

    IIS 7 Host Headers Edit Friendly Name

Setting Up Host Headers and Site Bindings

  1. Open IIS by navigating to Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.

  2. Expand your server name and then Sites. Right-click a website and click Edit Bindings.

    IIS 7 Host Headers Edit Site 1 Bindings

  3. If you have already created an https binding for this website, select it and click Edit. Click Add to create a new binding.


    IIS 7 Edit Bindings Window

  4. In the window, set the following options and then click OK:

    Type:                     https
    Host name:           Your website's DNS name (e.g. website1.domain.com)
    SSL Certificate:   *YourCertificateFriendlyName

    IIS 7 Host Headers Edit Hostname

    Host headers should now be properly configured for that website.

  5. Repeat these steps as many times as needed for all of the sites you want to assign SSL host headers to. Change the host name to match the website's DNS name each time.

Setting Up Host Headers in IIS 7 Using the Command Line

  1. Install the SSL Certificate to the site where you will use secure bindings.
  2. Next, open a command line by clicking Start > Run. Type cmd and click OK.
  3. Type cd C:\Windows\System32\Inetsrv\ to change the directory where you manage SSL host headers and click enter.

  4. Type the following command on one line:

    appcmd set site /site.name:"Name of Website in IIS" /+bindings.[protocol='https',bindingInformation='*:443:Host Header']

    You can find the name of website in IIS and host header in the IIS 7 Connections window under Sites. The host header value is the value that is assigned to the (e.g. digicert.com).

    IIS 7 SSL Host Headers Site Identifier

    You should see a response message in the command prompt that says "SITE object "your site" changed".

  5. Repeat the previous step as many times as necessary until you have set up SSL host headers for all of the websites that need them. If you need to enter the command for multiple sites, we recommend using our DigiCert IIS 7 SSL Host Header Command Generator.

You may need to restart the IIS sites for the changes to take effect. You can verify the changes by opening each site in a web browser. If the wrong page is displayed for any URL, your SSL host headers have not been configured correctly.