Clever Geek Handbook

How to configure default website for https using SNI and CCS

We only use IIS8.5 with the default website configured, but with thousands of domains pointing to it on the same load balanced IP address.

We plan to offer https (SSL) for all these thousands of domains. All .pfx certificates will be stored in the Central Certificate Store (CCS) and will be bound to the same website using the same IP address thanks to the Server Name Indication (SNI) feature.

SNI and CCS work great for this purpose, but only if we add explicit bidding for each domain in the default website, which is impractical for thousands of domains:

        <site name="Default Web Site" id="1">
            <application path="/">
                <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
            </application>
            <bindings>
                <binding protocol="http" bindingInformation="*:80:" />
                <binding protocol="https" bindingInformation="*:443:www.domain1.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.domain2.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.domain3.com.br" sslFlags="3" />
                ...
                ...
                ...
                <binding protocol="https" bindingInformation="*:443:www.otherdomain9998.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.otherdomain9999.com.br" sslFlags="3" />
                ...
            </bindings>
        </site>

I tried to configure the default https protocol binding the same as the default HTTP binding and using sslFlags = "3" which stands for SNI + CCS:

        <site name="Default Web Site" id="1">
            <application path="/">
                <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
            </application>
            <bindings>
                <binding protocol="http" bindingInformation="*:80:" />
                <binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
            </bindings>
        </site>

In the above configuration, no SSL certificate is provided to any browser.

Is there any other way to configure the default website for https using SNI and CCS?

I would really appreciate any help in pointing me in the right direction.

Thank!

Guilherme

+3


source to share


1 answer


Case resolved!

1) I first used IIS to create a fake SSL bind on the default website for www.whatever.com using SNI and CCS.

2) Then I manually edited this fake entry in the applicationHost.config file as follows:

FROM

<binding protocol="https" bindingInformation="*:443:www.whatever.com" sslFlags="3" />



TO:

<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />

3) Finally, I sent my certificates to the CCS folder. After about 5 minutes, the new SSL sites were automatically activated by IIS.

In other words, I ended up with a default SSL website using many certificates on the same IP and not creating bindings for each one.

It's great!!!

+4


source






More articles:


All Articles