IIS – Wildcard HTTPS Binding with Centralized Certificate Store

iis

Using IIS 10 and a Centralized Certificate Store, is it possible to have a wildcard https binding, so that any request coming in over HTTPS will automatically attempt to grab the relevant certificate from the centralized store?

Best Answer

It depends on your definition of "wildcard".

IIS searches the CCS (Centralized Certificate Store) not based on the SNI name, but based on the binding name. Therefore it is not possible to have a catch-all binding with the CCS.

However, the CCS does support wildcard PFX files when a file starts with _.. Therefore, if you have a site with the binding blog.example.com, it will use the _.example.com.pfx file if present.

With IIS 10, we now also have wildcard binding support. Therefore, you can make a binding *.example.com and this will indeed work with the _.example.com.pfx file as well.

Related Solutions

Windows – Wildcard certificate with SAN

When a subject alternative name is in place, the common name (edit: from the subject) is no longer used. Solution: Add the wildcard name to the list of subject alternative names.

Ssl – SNI and wildcard SSL certificates on the same server with IIS

Baris is right! The SSL certificate configured on an IP:PORT binding (example: 100.74.156.187:443) always takes precedence in http.sys! So the solution is as follows:

Do not configure an IP:443 binding for your wildcard-fallback-certificate but configure a *:443 binding (* means "All Unassigned") for it.

If you have configured your wildcard certificate on the Azure Cloud Service SSL endpoint (as i have) you have to change the SSL binding created by the Azure Cloud Service Runtime (IISconfigurator.exe) from IP:PORT to *:PORT. I am calling the following method in OnStart of my web role:

public static void UnbindDefaultSslBindingFromIp()
{
    Trace.TraceInformation(">> IISTenantManager: Unbind default SSL binding from IP");
    using (var serverManager = new Microsoft.Web.Administration.ServerManager())
    {
        try
        {
            var websiteName = string.Format("{0}_Web", Microsoft.WindowsAzure.ServiceRuntime.RoleEnvironment.CurrentRoleInstance.Id);
            var site = serverManager.Sites[websiteName];
            var defaultSslBinding = site.Bindings.Single(b => b.IsIPPortHostBinding && b.Protocol == "https");
            defaultSslBinding.BindingInformation = string.Format("*:{0}:", defaultSslBinding.EndPoint.Port);
            serverManager.CommitChanges();
        }
        catch (Exception ex)
        {
            Trace.TraceError(ex.ToString());
        }
    }
}

The following screenshot shows a working configuration of our cloud service. Please don't be confused about the non-standard ports. The screenshot is from the emulated cloud service.

working IIS configuration

One further thing to mention: Do not change all bindings to * because the HTTP (port 80) binding only works with IP:PORT binding in the deployed cloud service. Something else is bind to IP:80 so *:80 does not work because * stands for "all unassigned" and the IP is already assigned somewhere else in http.sys.

Best Answer

Related Solutions

Windows – Wildcard certificate with SAN

Ssl – SNI and wildcard SSL certificates on the same server with IIS

Related Topic