Home / server / Questions / 96810
Accepted
p.campbell
Asked: 2009-12-23 15:23:22 +0800 CST

IIS7: can't set host name on site with SSL cert and port 443

  • 772

Consider a Win 2008 SP2 machine with IIS7. The task is to apply a certificate and host name to the one and only Site on this machine. The site's host headers need to be abc.123.example.com

The first step was installing the .pfx to the Personal Store, which was successful.

IIS7 finds the cert as available, but won't allow the entry of a host name. The host name textbox is ALWAYS disabled/greyed out, even before selecting my cert. I've even deleted the default port 80 binding.

Site Bindings

Question: how can I set a host name for this site? Is it a matter of this cert being a wildcard cert? I understand that the SSL request comes into the web server, and the host header in the packet is encrypted. Why then would IIS6 allow the host header to be specified, but IIS7 not?

Update: The cert isn't part of the problem. I've created a new Site on the machine, and when choosing https binding, the host name textbox is disabled.

windows-server-2008

11 Answers

  1. Its does work in GUI...

    Just make sure the the 'friendly name' of the cert you are installing is the same as the multidomainname you have made for the cert.

    ie. *.companydomain.com

    if you put in 'Nice friendly name' for *.companydoman.com cert, when installing the cert into IIS, it will grey out the host name header box.

    If you use *.companyname.com as the friendly name, you're golden.

    Boom.

    • 51
  2. Best Answer

    You can't do it from the UI, you have to do it from the command line. Here's a nice walk through of the process:

    http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

    • 34

  3. The short answer is that each IP can only have one certificate bound to it, so the certificate binding is going to apply no matter what hostname is directed to that IP address. Being able to specify a hostname would imply that you can have multiple hostname and certificate combinations on the same IP address and port (as you can with non-SSL entries), but this is not the case, so the field is unavailable.

    The more complete explanation is that SSL encrypts your traffic, and part of that traffic is the HTTP headers sent by the browser to the server. One of those headers would be the "Host" header which IIS uses to determine which site to load up with the request. Since the certificate needs to be loaded to establish the secure connection BEFORE the request headers are sent, IIS has to select the certificate based only upon the IP address and port number, leaving the "Host" header out in the cold as a factor in determining which site to load, so they don't let you enter one.

    Here is an article which outlines the inner workings of the SSL connection in finer detail.

    • 10

  4. The SSLShopper answer did not work for me because it left the binding without the host header, and you couldn't remove that binding without breaking the connection to the certificate. Here is the method I used to get it to work:

    Please note that this answer assumes that your certificate has already been generated, added to the certificate store, and added to IIS. It also assumes you do not want any other bindings to your website besides the SSL one.

    First, we need to gather some information. We need the hash, the application ID and the host name.

    Steps

    1. Open IIS, select your server and double click on "Server Certificates" in the bottom section. Note the "Issued To" address. This is our host name. Save this.
    2. Select your site
    3. Bind your site to port 80 using the http protocol
    4. Remove all other bindings
    5. Bind your site to port 443 using the https protocol

    6. Open a command prompt

      netsh http show sslcert

    7. Save the Certificate Hash and the Application ID

    8. Remove the https binding on your site

    9. At the command prompt:

      netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>}

appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']

    Note: Appcmd.exe can be found in C:\Windows\System32\inetsrv. You may need to be in that folder for this command to work.

    1. Remove the http binding from your site
    • 9

  5. The accepted answer here is confusing and I don't think it's correct for the question. It shouldn't be the accepted answer.

    The problem

    You have a wildcard SSL such as *.ipsum.com and the certificate is installed but you can't choose a host name for the site in IIS when you try to add an HTTPS binding because the text box is greyed out.

    The solution

    Your wildcard SSL can be used with any subdomain, you just need to make sure you start the Friendly Name of the certificate with *. I prefer to use the same friendly name as the wildcard domain, e.g. *.ipsum.com but you can call it anything that beings with the asterix: *foo

    I gave my certificate the wrong Friendly Name, help!

    Since Windows 8 or Server 2012, you can type certlm.msc in the start menu to manage certificates for the local machine. On previous versions of windows you will need to do something slightly more convoluted:

    1. Run mmc.exe from start
    2. Go to File menu and choose Add/Remove Snap-in... or hit (Ctrl-M)
    3. Highlight the Certificates snap-in and hit Add > then choose Computer Account followed by Local Computer in the subsequent dialogs then hit Finish followed by OK to close the Snap-ins window

    In the main window, expand Certificates (Local Computer) then Personal then Certificates and you will be able to right-click the certificate, hit Properties where you can update the friendly name.

    Close and open IIS Manager and you can then set your host name.

    • 5

  6. Actually, you can add a host header via the gui, but it depends on how the certificate is named ... if I give a friendly name of *.xyz.com to my wildcard cert, and select that cert, then i'm able to use the gui. if the friendly name is something like xyzwildcard, and I choose that, then it grays out the hostheader field...

    Weird weird

    • 2

  7. Some machines won't let you edit the host name if the protocol is changed to https or after adding an SSL certificate. IIS can be grumpy at times.

    This Windows command will create a new binding with protocol "https", on port "443", host name "subdomain.domain.com", site name "site name". Change those values (in quotes) to meet your requirements. You will then need to delete the old binding if its using port 443.

    Run Windows Command Prompt as Administrator

    C:>cd C:\Windows\System32\inetsrv

    C:\Windows\System32\inetsrv>appcmd set site /site.name:"site_name" /+bindings.[protocol='https',bindingInformation='*:443:subdomain.domain.com']

    • 1

  8. Hostname can be added only when the friedlyname of the selected Certificate will be like hostname *.xyz.com and You can rename certificate friendly name to *.xyz.com from mmc(Snap-in).

    • 0

  9. I think this KB article will shed some light on the issue. In a nutshell HTTP 1.1 host headers are not supported when you use SSL.

    What will probably accomplish what you want is to use the SecureBindings metabase key. E.g. cscript.exe adsutil.vbs set /w3svc/websiteID/SecureBindings "ip.ip.ip.ip:443:abc.123.mysite.com

    • -1

  10. Why MS takes this OUT of the GUI is beyond me, since, if you have an ASP.NET application that makes use of license files (licx), your site will not work because it shows up as an IP address instead of a domain name. They need to STOP ASSUMING on every new release of their software - IT people do not need to be babysitted by Microsoft! Geez!

    • -1