IIS 8.5 change bindings on bulk (due to SSL certificate renewal)

Without SNI extensions, you can bind only one SSL certificate per IP:port pair. If you need to run 2 HTTPS on the same IP -- bind them to different ports and then refer to such site providing port in URL (e.g. https://beta.example.com:444/). You can use the same wildcard certificate on different ports without any issue.

If you have more than one site with blank host name (for HTTP protocol), then the one with lower ID should be a "catch all". The same goes for HTTPS -- the one with lower ID should intercept all requests on that port.

On another hand, you have a wildcard certificate and I have seen one article which tells that this can be done in IIS7: http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html . I tried it myself in the past, but it did not worked well for me -- quite often IIS was throwing a 5xx error when accessing even static files (which stopped happening when we bind another host to a different port). Maybe it has been fixed since then.

Baris is right! The SSL certificate configured on an IP:PORT binding (example: 100.74.156.187:443) always takes precedence in http.sys! So the solution is as follows:

Do not configure an IP:443 binding for your wildcard-fallback-certificate but configure a *:443 binding (* means "All Unassigned") for it.

If you have configured your wildcard certificate on the Azure Cloud Service SSL endpoint (as i have) you have to change the SSL binding created by the Azure Cloud Service Runtime (IISconfigurator.exe) from IP:PORT to *:PORT. I am calling the following method in OnStart of my web role:

public static void UnbindDefaultSslBindingFromIp()
{
    Trace.TraceInformation(">> IISTenantManager: Unbind default SSL binding from IP");
    using (var serverManager = new Microsoft.Web.Administration.ServerManager())
    {
        try
        {
            var websiteName = string.Format("{0}_Web", Microsoft.WindowsAzure.ServiceRuntime.RoleEnvironment.CurrentRoleInstance.Id);
            var site = serverManager.Sites[websiteName];
            var defaultSslBinding = site.Bindings.Single(b => b.IsIPPortHostBinding && b.Protocol == "https");
            defaultSslBinding.BindingInformation = string.Format("*:{0}:", defaultSslBinding.EndPoint.Port);
            serverManager.CommitChanges();
        }
        catch (Exception ex)
        {
            Trace.TraceError(ex.ToString());
        }
    }
}

The following screenshot shows a working configuration of our cloud service. Please don't be confused about the non-standard ports. The screenshot is from the emulated cloud service.

One further thing to mention: Do not change all bindings to * because the HTTP (port 80) binding only works with IP:PORT binding in the deployed cloud service. Something else is bind to IP:80 so *:80 does not work because * stands for "all unassigned" and the IP is already assigned somewhere else in http.sys.