TechOnTip Weblog

Run book for Technocrats

How to configure/import SAN certificate in IIS 7.x?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 5

How to configure/import SAN certificate in IIS 7.x?

  • Apart from SSL certificate (SAN) you may have to install another intermediate/chain certificate from your certificate authority to get your certificate work properly. Check with your provider.
  • You can import SSL cert using your Windows Certificate MMC or IIS – SSL Security settings.

Using Windows Certificate MMC:

  • Open Certificate MMC snap in for your computer
    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Import Certificate –Select the SSL certificate & import – Click yes on Thumbprint validation window

Using IIS Manager:

  • Open IIS Manager – Select Server in the left hand side & open “Server Certificates” from the mid working pane

  • Click on Import & Select certificate PFX file, type import password if you have kept at the time of certificate creation. If you want to export this certificate for further use in any of the server make sure you select “Allow this certificate to be exported”.

Bind SAN SSL Certificate to multiple web sites

  • After you have imported the SAN certificate to IIS you can bind the certificate to different websites in the same IIS 7.x server
  • To bind SAN SSL cert to multiple websites you have to configure different host headers for the websites. Make sure you keep host headers exactly to SAN URLs or SSL Subject Alternative Names; else you will get SSL error regarding the same.
  • Select the website, click on bindings. It will open up Site Bindings window

  • Click Add to create a new binding with host header, IP address & Port.
  • From Type select HTTPS, from IP Address menu select the IP Address & in Port input box type 443.
  • If you have only IP Address available then you may be selecting same IP address for all websites. In that case we have to type a UNIQUE host header as I told you earlier. But now this field may be grayed out.

  • Let’s select the imported SSL Cert (SAN) from SSL Certificate drop down menu. You may observe still the host header filed is not editable — phew! So you can’t type the unique hostheader name here.
  • IIS Provides a command line tool (appcmd) to do that. Well there is another IIS 7.x undocumented hack you can use for this purpose.

APPCMD for SSL Binding

  • You have to run below command after editing Website Name & Hostheader Value for each websites

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

Undocumented IIS Hack for SSL Binding

  • From Certificate MMC, right click the SSL certificate name & add a asterisk (*) in front of the friendly name of the certificate. Now when you select the certificate you will able type the host header in the IIS Manager itself. Thanks to my friend Jason Heisley for telling me this little hack. Here is another blog article regarding this hack.

Advertisements

6 Responses to “How to configure/import SAN certificate in IIS 7.x?”

  1. This is my first time pay a visit at here and i am really pleassant to read
    everthing at one place.

  2. xserver said

    Useful information. Fortunate me I found your website accidentally, and I am surprised why this accident did not happened in advance!
    I bookmarked it.

  3. Colin Gregory said

    Amazing… I have been struggling with a SAN cert and IIS all afternoon, this sorted the issue in less than a minute, turning a major issue into an easy job.

    Cheers.

    Colin.

  4. […] How to configure/import SAN certificate in IIS 7.x?In “IIS” […]

  5. Semicolon said

    Your wildcard trick is a way to enable Server Name Indication (SNI) in IIS; which is officially an UNsupported configuration earlier than IIS 8. I would recommend warning your readers of that before recommending the hack.

  6. What’s up to every body, it’s my first pay a quick visit of this webpage; this
    weblog contains awesome and genuinely excellent
    information for readers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: