I recently had an occasion where I needed to host quite a few SSL sites on a single server, each in its own unique site, and each with its own app pool, all behind port 443. We utilize load balancers to handle our web traffic as well as maintain our certificates in a single location. It’s cost effective, easy to manage, and incredibly versatile.
Unfortunately, it introduces a bit of complexity to the environment. Ideally, on IIS7, you would run a unique cert issued by a trusted certificate authority (CA) such as DigiCert for every site. This however is not cost effective at a large scale.
So, the solution to this is to actually create your own self-signed wildcard certificate utilizing a tool from the IIS6 Resource Kit called ‘selfssl.exe’ – this allows IIS7 to actually prompt you for the host header name in the configuration.
It’s quick, it’s easy, and best of all, once you do it for each server, you’re golden for all other sites created on that server. And when you’ve got over 500 sites on a server…you’ll save yourself a considerable amount of time.
The Process
- Download the IIS6 Resource Kit
- Install the SelfSSL Utility onto your web server
- On the web server, open a command prompt under the administrator context and change to the ‘c:\Program Files (x86)\IIS Resource\SelfSSL’ directory
- Optional: Retrieve a list of sites if you need to apply this to any site other than the first site:
- Run ‘%windir%\system32\inetsrv\appcmd.exe list sites’, which will output the sites along with their site ID’s
- Run the ‘SelfSSL.exe’ command with the following parameters:
- ‘selfssl.exe /N:CN=*.contoso.com /V:3650 /S:1 /K:2048’
- Replace ‘contoso.com’ and ‘S:1’ with parameters that apply to your scenario
- From here, go into the Bindings for the site and note that you can now enter the host name of your choosing (so long as it is a child of ‘contoso.com’ you’ll be fine).
Okay out, and you’re all set.
Finicky Server Administrator Musings 