I am trying to find the best way to set up SSL certificates for a CMS web application we're developing. We'll be adding new sites frequently which require content to be served over HTTPS / SSL, but the domains will be different per client.
It is an ASP.Net (3.5 SP1) application running on IIS 6 (Win Server 2003), and ideally we'd like to run it from one IIS site. Firstly for performance, as I'm guessing having lots of IIS sites running from the same set of files, each maintaining their own database connections and cache isn't a very good idea?! Secondly, to keep things simple from a maintenance and scalability point of view.
So, is there a way to set up our app on one site in IIS which has some kind of universal SSL certificate for potentially hundreds of domains? Or if that's not possible or not recommended, what are the next best options? Or if upgrading to Win Server 2008 & IIS7 would help, we could look at that too.
Many thanks, Tim
Its not possible to use more than one certificate per site in IIS 6 and as far as I am aware the same is true of IIS 7.
If your clients can all use a subdomain of the same domain, you could use a wildcard cert (*.domain.com) to do this. If thats not possible, then a SAN cert would allow multiple domains in one certificate,but if your going to need hundreds of domains, its going to get expensive, and you may reach a limit of how many domains your allowed per cert.
There's nothing to stop you having multiple sites in IIS, all pointing to the same content.
Even if you use multiple IIS sites, you would need to have a unique IP address and certificate for each site. If you don't have a unique IP address for each site, you would need to use a wildcard certificate or UC certificate (http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html) anyway, and then configure SSL Host Headers for each site: http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html
I would recommend trying to use subdomains so you can use a wildcard certificate on one site.
Remember, you can only use ONE certificate per ip/port combo. You can of course use a wildcard (SAN) certificate on multiple IPs and/or ports. This means you need multiple IPs (since using a non-standard 80 port is often not acceptable) for you server, if you are not using a SAN certificate, since you cannot assign two different certificate, listening on the same IP.
Hope this is clarifying.
Use a single IIS site and logic in the application to detect which client to serve. I would install either a multiple domain SSL certificate or a wildcard subdomain cert. GoDaddy has multiple domain SSL certs:
www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039
For around $1,200 / yr you can serve over 100 domains. Where I work we have a wildcard subdomain and have an application that serves multiple subdomains.
Here is a site that may help you as well: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
If I remember IIS6 has trouble adding multiple SSL bindings for a single site. You can do this, but you must use the command line and not the GUI. See:
www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html