1

Using IIS 10, I have 3 websites with 3 different hostnames, but the same IP address and port, and each of them has their own SSL certificate.

In the bindings I can see that each has the correct certificate attached (When I click View I see it's the right details for each).

However when I go to the URL in the browser, it says the certificate is not trusted (Except for the 1 site whose this certificate belongs to him), and when I click to see the certificate information, I see they all use the same certificate even though each is bound to his own certificate in IIS.

I did tick the box saying "Require Server Name Indication", but still it uses only one certificate.

In my case where all websites use the same IP and port, is it possible to also use a different certificate?

In this case where I use the same IP and port for all websites - do I have to use a single certificate? Or I can somehow make it work now with separate certificates?

Improve this question
7
  • 2
    The question is which browser you were using. If the browser does not follow SNI to send host name in SSL handshake, then the certificate from IP based binding will be used instead of from SNI based bindings, docs.jexusmanager.com/tutorials/… You might stop serving such non-SNI browsers, as they are usually legacy ones with lots of other issues.
    – Lex Li
    May 24 at 19:54
  • It's from Google Chrome/Edge, could there be an issue with the certificate? Because I also did a mistake in the post. It's not different domains, it's same domain with different sub domains: web1.example.com, web2.example.com, web3.example.com. in this case do I need to use the same certificate?
    – pileup
    May 25 at 7:27
  • 2
    Subdomains require their own SNI mappings to register in Windows HTTP API. If you don’t have those yet, the problem is then expected. Chrome/Edge started to support SNI years ago, so it is not likely to be a browser side issue.
    – Lex Li
    May 25 at 14:22
  • Thank you, and is it something I can fix when I have 3 separate certificates? Or I am going to have to combine them into 1 with all the subdomains?
    – pileup
    May 25 at 15:04
  • 1
    @AndyD273 the solution was to use a single certificate that holds all the needed hostnames
    – pileup
    Aug 26 at 8:13

1 Answer 1

Reset to default
0

This isn't really the solution to OPs problem, it's the solution to my problem, which happens to sound exactly like the problem that OP was having. I'm including it here in case some time down the road someone else has the same problem, and they might be able to use this information to solve it.

We have an IIS server set up with 5 web sites. 3 of them have the same wildcard certificate (www.website1.com, sales.website1.com, dev.website1.com), and the other two have their own single site certificates.

But what was happening was that all 5 sites were getting assigned with the wildcard certificate for website1.com

What we had to do to solve the problem was to set the HTTPS binding on all 5 sites to IP address: All Unassigned, Port 443 And then make sure that Require Server Name Indication was checked and the correct certificate was selected for each site.

See the following example for clarification on the IP address being set to All Unassigned
enter image description here

Improve this answer
2
  • Hi Andy, you mean "IP address" is local ip or the public ip?
    – Kerwin
    Sep 15 at 5:58
  • @Kerwin I added a screenshot to show you what I mean. Obviously host name is the name of the website, like website.com or www.website.com and the SSL certificate is your signing certificate for that website. We didn't have to do it this way when we were running windows server 2012 and IIS 8, but once we upgraded to windows server 2019 and IIS 10 it was the only way to make it work.
    – AndyD273
    Oct 6 at 13:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .