Installing SSL for Custom Domains in IIS

My web server is (include version): IIS 8.5
The operating system my web server runs on is (include version): Windows Server 2012 RS Standard

We have integrated LetsEncrypt on our platform and want to install those certificates on our client’s custom domains.
We have a cloud application hosted on Windows Server i-e IIS
We have installed and tested the certificate on IIS and its working when we bind a subdomain, so that mean certificates are working fine, problem we are facing is that our system support custom domains from clients so when they add their custom domain using CName forwarding from their DNS, we also want to apply SSL on them, which are surly not hard binded on our IIS server,
Now how to configure IIS server to accept them and apply SSL certificate on them

1 Like


I think that's a problem of integration.

Although I'm not a platform person (I've never done any of those works, just a heads up), there's one way I think you might be able to do.
Write a small program (that you could hook with your platform's user GUI), where a user could apply a custom domain and there's a small process to check the DNS record, go through the application process, then use the IIS management API to bind the certificate to corresponding virtual host.
Microsoft IIS Management API: GitHub - microsoft/IIS.Administration: REST API for managing IIS

(The above one might sound naive, but that's all I can think of)

Thank you

Thank you for suggestion :slight_smile:

Hi @danimalik54

that's not a problem.

Create a http binding with that subdomain name as hostname, so port 80 answers. Then you can create a certificate. Then add a https binding with the domain as hostname and check the SNI-box.

That works.

It's not relevant if your customer uses an A-record domain -> your ip or if the customers uses a CNAME.

My customers have both models.

Hey guys I’m helping Danyal out here too and to clarify this is what we are trying to do.

The issue we are facing is that clients would setup domains in an A record or CNAME like pointed to our domain. Thats on our server like We generate a certificate but where do we bind it because the certificate generated is for client domain which isn’t binded on our system because they have their CNAME/A Record pointed to our to handle all the requests.

But if we were to physically bind the domain on the server and apply the certificate then yes we are able to obtain SSL. But this isn’t the case. Please advise.

Hi @JuergenAuer,

We have customers forwarding their subdomins using CNAME to our server.
So technically they ARE landing on our server but we DONT have their subdomains binded on IIS.

Secondly, If you think the solution you suggest is still applicable in our case, Could you please elaborate more. I didnt understand those details.

Thank you for response :slight_smile:

If you want to create a certificate with the customer domain name and if you want to use http validation and if you have a running IIS, you need such a binding or a standard port 80 host with an application specific solution. Both is possible.

What does that mean? Can you please explain this process?

Read some basics about the http challenge:

Then it's application specific.

I have already generated the SSL certificate from Let’s Encrypt using Http Challenge.
We have now pfx file for custom domains.

We are facing issue in second half, Like how to apply this certificate in IIS

Add a binding, select the certificate.

PS: One step is missing: First load the pfx file in your machine webhosting store.

And select the option "marked as exportable".

This is the step from where problem begins

We have customers who add custom domains on our and that’s unlimited, So we can’t add binding in IIS server.
Using some scheduled Job could be an options but that again not a real time.

That can't work. And it's possible that it works.

Create a website with a http binding without a hostname -> unknown domain -> that binding + website is used. There must run an application you have to create.

If /.well-known/acme-challenge -> that application sends the validation file.

All other paths -> redirect to https.

That works to create a certificate and save it in Webhosting.

Then you have to create a binding per program (or manual). Why? You can only create certificates with max. 100 domain names. And one binding can only use one certificate. But you can use one website with a lot of bindings (and a lot of different certificates).

That's the setup I use. One application, http is splitted - /.well-known/acme-challenge is not redirected, other paths are redirected. That's enough to create a new certificate.

Then I create a new binding - manual.

Why manual? If not, everyone could create a CNAME and could use existing content with another domain name. That's something I don't want.

So such a complete automation (creating the bindings automatic) is a risk.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.