How to set up SSL on multiple web sites in Internet Information Services (IIS) with shared configuration

Article ID: 2548832 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

Consider the following scenario. You want to set up shared configuration for 2 Internet Information Services (IIS) servers. For the purpose of this example they are named Server A and Server B. You are going to have 2 different web sites, here named Site1 and Site2. Both of these websites are going to use their own dedicated IP addresses as shown below: 

Server A --> Site1 --> 10.10.10.1
Server A --> Site2 --> 10.10.10.2

Server B --> Site1 --> 10.10.10.3
Server B --> Site2 --> 10.10.10.4

Now, you configure Server A & B for shared configuration, however you run into a unique situation when it comes to the web site bindings. Web site bindings configuration typically looks like the example below in an applicationHost.config file: 

<site name="Site1" id="1">
   <application path="/" applicationPool="Site1">
      <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" />
   </application>
   <bindings>
      <binding protocol="http" bindingInformation="10.10.10.1:www.contoso.com" />
      <binding protocol="https" bindingInformation="10.10.10.1:443:" />
   </bindings>
</site>

As you can see there is nothing that identifies the web server by its name (for example Server A). So when you bind “Site1” to 10.10.10.1 on server A, these settings are also replicated for Server B. But Server B’s NIC card does not recognize the 10.10.10.1 IP address. You in fact want to bind 10.10.10.3 to the “Site1” on port 443 and 80 for Server B.

To overcome this situation, you need to manually add extra bindings for each website. For example, you will need to add additional bindings for IP 10.10.10.3 and port 443 on Server A, even though Server A does not understand 10.10.10.3. This is fine, since IIS on Server A will simply ignore that IP when starting up, as it cannot find it. You can use the following appcmd.exe command to add this binding: 

appcmd.exe set site /site.name:Site1 /+bindings.[protocol='https',bindingInformation='10.10.10.3:443:']

Note: The IIS Manager user interface will not let you do this for https; you must use the appcmd.exe tool

Once you add this binding using appcmd.exe, your new configuration in the applicationHost.config will look like the following:

<site name="Site1" id="1">
   <application path="/" applicationPool="Site1">
      <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" />
   </application>
   <bindings>
     <binding protocol="http" bindingInformation="10.10.10.1:www.contoso.com" />
     <binding protocol="https" bindingInformation="10.10.10.1:443:" />
     <binding protocol="https" bindingInformation="10.10.10.3:443:" />
   </bindings>
</site>

Remember, you have not yet assigned an actual certificate to this site. You have just added the IP bindings for port 443. You can now assign an existing certificate using the IIS manager UI. The following article can help you do so:

 
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7



Once you have assigned a certificate, the entries will be configured in http.sys and you will be able to view them using the following NETSH command from a command prompt:

 

netsh http show sslcert




Similarly, follow the above steps and logic to add the rest of your sites and certificates to the remaining server(s). Note that SSL certificate information is never stored in the applicationHost.config file. It is local to the machine and it is the responsibility of the server administrator to make sure to export and import the correct certificates on all of the servers in the farm that are using shared configuration. 


MORE INFORMATION

You can learn more about managing shared configuration here,

http://learn.iis.net/page.aspx/264/shared-configuration/
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2548832 - Last Review: May 6, 2011 - Revision: 3.0
APPLIES TO
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
Keywords: 
KB2548832

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com