Single IP and Multiple Wildcard Certificates – Windows 2012 R2

I know that my normal blog posts cover Exchange and Office 365, but I also like to dabble where I can. Today a client of mine was in a bit of a situation. They were moving from a series of physical on premise servers to a single web server in Microsoft Azure, which has a single IP address. The problem was that the original servers had one wildcard cert per server (and by associate, per IP). Now trying to perform the same function, if this were Windows 2008 (R2 too) with IIS 7 it would be impossible, on that one server.

Solution? –> Problem

The solution is to use SNI. However, if not configured properly, SNI will fail. The other issue is that SNI can cause issues with Windows and Older Browsers. The conundrum for the customer was that they needed to support XP and older browsers as well as use SNI to use multiple wildcard certificates on a single IP address. Yes.

The client had attempted to set this up and when browsing to subdomain sites with the second wildcard certificate the browser would display something like this:

SSL-01

When we checked out the certificate, you could see the wildcard certificate was for the wrong domain:

Certificate – *.test.local
Certificate that should have showed up was – *.sub1.test.local

SSL-02

We reviewed the configuration and the correct certificate was assigned.

SSL-03

After a bit of digging and playing with the settings in IIS (again minding the fact that IIS is not my usually playground) and I came up with a solution that would work. The main domain would have a host header assigned and SNI would be unchecked. Then each subdomain site would have SNI checked and a host header used as well. The IP address would be set to unassigned as well. As follows:

SSL-04

SSL-05

I was able to confirm this solution with my lab. Then I had the client replicate this. However they ran into the same issue. We even put SNI on each site. This still failed.

The Fix
So we reviewed each sub-site, each binding and each certificate. All the settings seemed to be in place. However, while reviewing their IS Site configuration I saw they had something I did not:

Correct Sites

CorrectSites
Incorrect Sites

WrongSites

Once we deleted the ‘Default Website’ the certificate issues went away. So now we have two wildcard certificates sharing one IP address on a server in Azure.

Conclusion

So the solution, simply outlined, is as follows:

  • Install all wildcard certificates.
  • Remove the default website.
  • For one site (if legacy support needed) IP should be unassigned, Host Header used, correct certificate checked and SNI is unchecked.
  • For all other sites – Unassigned IP, Host Header used, SNI check, and correct certificate selected.

That successfully worked for my customer and my test lab I use for validation. Both environments were using Windows Server 2012 R2.

Advertisements

4 thoughts on “Single IP and Multiple Wildcard Certificates – Windows 2012 R2

      • deleting the cert entries with netsh http delete sslcert and doing the bindings again seem to work but seems a bit flimsy. I have multiple servers in a load balancer and the sites are webdeploy synced so I hope it doesn’t get broken easily!

  1. I know this has been out here a while but THANK YOU! After searching for hours as to why I could not get my new certificate to be handed out ala SNI and instead it kept giving me my *existing* wildcard cert, I found this page. In my case I was concentrating on my primary web server and setting up SNI bindings there, but failed to realize/remember that there was *another* test web server on this IIS bound to the same IP… your Default Web site issue pointed me in the right direction… once I fixed the bindings on the test site, it all works perfectly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s