IIS SSL Certificates – Separate LAN and WAN Certificates for Same Server

You shouldn't need a second IP address or a second website. All you need to do is get a new certificate issued for your existing site, with the addition of the "Subject Alternate Name" attribute defined. This will you to use the same SSL cert for multiple fully qualified domain names.

You have two separate issues.

1. Design a way of generating and maintening your certificates. Typically, that means installing a CA and using it for signing user-generated certificates. It's a rather complex topic but you might want to start by installing and understanding the "Certificate Authority" role in Windows. Do NOT install that on the same machine as your web server, though.
2. Implementing a Client certificate authentication rule in IIS 7.5. That's actually not too complex to do.

Here are the details on how to setup client certificate authentication in IIS 7.5:

• In the role manager, install the IIS role service called "IIS client Certificate mapping authentication"
• Open the IIS manager and select the site or folder you want to secure.
• Open the "configuration editor" and browse to the "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" section.
• Set "enabled" to "true".

Now, you got different options (both can be enabled at the same time): many-to-one and one-to-one mapping. See this documentation of how to set it up but, basically, you create a base-64 encoded version of each certificate you want to accept, open it in a text editor, you remove the "begin certificate" and "end certificate" lines, remove all line breaks for it and then create a mapping entry in the configuration editor with the Windows Username and password to use for that cert logon and using the string you just created in the "certificate" field.

Using man-to-one mapping is a bit more complex because you have to specify which field of the client certificate will be used for verifying a client certificate (instead of using the whole certificate) but it can be easier to maintain if you have many users (since you won't need to install every individual certificate on the web server).

Also, know that all certificate you use NEED to be valid on the server: you'll need to install them in the server system's certificate store (not your user, the system's) either in the "trusted People" section (for self-signed and user certificates), in the "Trusted Root CA" (for certificate root) or in the Intermediary Certificate Authority" (for ICAs).