Cheating the SSL System

I recently had an occasion where I needed to host quite a few SSL sites on a single server, each in its own unique site, and each with its own app pool, all behind port 443.  We utilize load balancers to handle our web traffic as well as maintain our certificates in a single location.  It’s cost effective, easy to manage, and incredibly versatile.

Unfortunately, it introduces a bit of complexity to the environment.  Ideally, on IIS7, you would run a unique cert issued by a trusted certificate authority (CA) such as DigiCert for every site.  This however is not cost effective at a large scale.

So, the solution to this is to actually create your own self-signed wildcard certificate utilizing a tool from the IIS6 Resource Kit called ‘selfssl.exe’ – this allows IIS7 to actually prompt you for the host header name in the configuration.

It’s quick, it’s easy, and best of all, once you do it for each server, you’re golden for all other sites created on that server.  And when you’ve got over 500 sites on a server…you’ll save yourself a considerable amount of time.

The Process

  1. Download the IIS6 Resource Kit
  2. Install the SelfSSL Utility onto your web server
  3. On the web server, open a command prompt under the administrator context and change to the ‘c:\Program Files (x86)\IIS Resource\SelfSSL’ directory
  4. Optional: Retrieve a list of sites if you need to apply this to any site other than the first site:
    1. Run ‘%windir%\system32\inetsrv\appcmd.exe list sites’, which will output the sites along with their site ID’s
  5. Run the ‘SelfSSL.exe’ command with the following parameters:
    1. ‘selfssl.exe /N:CN=*.contoso.com /V:3650 /S:1 /K:2048’
    2. Replace ‘contoso.com’ and ‘S:1’ with parameters that apply to your scenario
  6. From here, go into the Bindings for the site and note that you can now enter the host name of your choosing (so long as it is a child of ‘contoso.com’ you’ll be fine).

Okay out, and you’re all set.

Advertisements
This entry was posted in Certificates, IIS7, SelfSSL, SSL and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s