Host Headers, Secure Site Bindings, and SSL

Background

For IIS 8, see Configuring SSL Host Headers in IIS 8 and IIS 8.5.
For IIS 6, see Configuring SSL Host Headers in IIS 6.

Host headers are used to host multiple secure websites on one IP address. If you use host headers with a regular SSL Certificate the same certificate must be used for every site that is secured. If multiple SSL Certificates are used, the server usually has a problem with providing the correct SSL Certificate when an HTTPS connection is established, causing a certificate name error

However, if you use host headers in combination with certificates that can cover more than one website (Wildcard or Multi-Domain (SAN) Certificates) you can secure multiple sites on one IP.

A Wildcard Certificate secures any subdomain of the domain that it was issued to. For example, a DigiCert® Wildcard Plus™ Certificate that is issued to *.domain.com will cover something.domain.com, anything.domain.com, and whatever.domain.com. Because the *.domain.com certificate is valid on any of these domains, you will not receive an error message.

Similarly, a single DigiCert Multi-Domain (SAN) Certificate can secure multiple fully-qualified domain names. And, contrary to popular belief, Multi-Domain (SAN) Certificates are compatible with almost all major server types. The difference between Multi-Domain (SAN) Certificates and Wildcard Certificates is that while Wildcards work on multiple websites because of the * character in the domain name, Multi-Domain (SAN) Certificates include a Subject Alternative Name (SAN) field that allows the certificate to include multiple names. For example, a Multi-Domain (SAN) Certificate can include www.domain.com, www.domain2.com, www.domain3.com, and mail.domain3.com. The certificate could then be installed to all four sites. When connecting to any of those sites, a browser will check the name that it is connecting to against the list of SAN names in the certificate. As long as a valid match is found, no error message is displayed.

There are two ways to set up host headers in IIS 7. We recommend using the DigiCert Utility and the IIS 7 GUI to set up the host headers and site bindings. However, you can also configure SSL host headers using the command line. Instructions for both methods are listed below.

Setting Up Host Headers in IIS 7 Using the DigiCert Utility

To set up host headers in IIS 7, you need to format the friendly name to start with an * character. With our DigiCert Certificate Utility this is very easy. Once you format the friendly name you can set up host headers and site bindings. If the friendly name doesn't have a * character, you'll have to use the command line to configure SSL host headers to use your SSL Certificate on multiple websites. See Setting Up Host Headers in IIS 7 Using the Command Line.

Formatting the Friendly Name

  1. Download and run the DigiCert Certificate Utility on your IIS server.
  2. In the utility, right-click your certificate and click Edit Friendly Name.

    IIS 7 Host Headers Edit Friendly Name

  3. The friendly name can be any name that you want, just make sure that the name starts with an *.

    You may want to add the expiration date and the DigiCert name to the end of the friendly name (i.e. *.yourdomain.com (DigiCert)(Expiration date). This type of information identifies the certificate issuer and also the date that the certificate expires.

    IIS 7 Host Headers Edit Friendly Name

  4. Click Save.
  5. For a website without a binding for https, see Adding Site Bindings (Website Does Not Have Binding for https).

    For a website with a binding for https, see Editing Site Bindings (Website Has Binding for https).

Adding Site Bindings (Website Does Not Have Binding for https)

  1. Open Internet Information Services (IIS) Manager.

    On the Windows Start menu, on the right side, click Administrative Tools > Internet Information Services (IIS) Manager.

  2. In IIS Manager, under Connections, expand your server name, and then expand Sites.

    IIS 7 Host Headers Edit Site 1 Bindings

  3. Right-click on a website, and then click Edit Bindings.

  4. In the Site Bindings window, click Add.

    IIS 7 Add Bindings Window

  5. In the Add Site Binding window, set the following options, and then click OK:

    Type: In the drop-down list, select https.
    IP address: In the drop-down list, select All Unassigned.
    Port: Enter 443. The port for SSL traffic is usually port 443.
    Host name: Enter your website’s DNS name (e.g. website1.yourdomain.com).
    SSL certificate: In the drop-down list, select the SSL certificate by its friendly name (*.yourdomain.com).

    IIS 7 Host Headers Add Hostname

    The host headers should now be properly configured for that website.

  6. Repeat these steps as many times as needed for all of the sites to which you want to assign SSL host headers.

    In step 5, make sure to change the host name to match the website's DNS name each time.

  7. You may need to restart the IIS sites for the changes to take effect.

  8. You can verify the changes by opening each site in a web browser.

    If the wrong page is displayed for any URL, your SSL host headers have not been configured correctly.

Editing Site Bindings (Website Has Binding for https)

  1. Open Internet Information Services (IIS) Manager.

    On the Windows Start menu, on the right side, click Administrative Tools > Internet Information Services (IIS) Manager.

  2. In IIS Manager, under Connections, expand your server name, and then expand Sites.

    IIS 7 Host Headers Edit Site 1 Bindings

  3. Right-click on a website, and then click Edit Bindings.

  4. In the Site Bindings window, select the https binding for this webiste, and then click Edit.

    IIS 7 Edit Bindings Window

  5. In the Edit Site Binding window, set the following options, and then click OK:

    IP address: In the drop-down list, select All Unassigned. If your server has multiple IP addresses, select the one that applies.
    Host name: Enter your website’s DNS name (e.g. website1.yourdomain.com).
    SSL certificate: In the drop-down list, select the SSL certificate by its friendly name (*.yourdomain.com).

    IIS 7 Host Headers Add Hostname

    The host headers should now be properly configured for that website.

  6. Repeat these steps as many times as needed for all of the sites to which you want to assign SSL host headers.

    In step 5, make sure to change the host name to match the website's DNS name each time.

  7. You may need to restart the IIS sites for the changes to take effect.

  8. You can verify the changes by opening each site in a web browser.

    If the wrong page is displayed for any URL, your SSL host headers have not been configured correctly.

Setting Up Host Headers in IIS 7 Using the Command Line

  1. Install the SSL Certificate to the site where you will use secure bindings.
  2. Next, open a command line by clicking Start > Run. Type cmd and click OK.
  3. Type cd C:\Windows\System32\Inetsrv\ to change the directory where you manage SSL host headers and click enter.
  4. Type the following command on one line:

    appcmd set site /site.name:"Name of Website in IIS" /+bindings.[protocol='https',bindingInformation='*:443:Host Header']

    You can find the name of website in IIS and host header in the IIS 7 Connections window under Sites. The host header value is the value that is assigned to the (e.g. digicert.com).

    IIS 7 SSL Host Headers Site Identifier

    You should see a response message in the command prompt that says "SITE object "your site" changed".

  5. Repeat the previous step as many times as necessary until you have set up SSL host headers for all of the websites that need them. If you need to enter the command for multiple sites, we recommend using our DigiCert IIS 7 SSL Host Header Command Generator.

  6. You may need to restart the IIS sites for the changes to take effect.

  7. You can verify the changes by opening each site in a web browser.

    If the wrong page is displayed for any URL, your SSL host headers have not been configured correctly.