Multiple ssl certificates with one ip and same port but different host headers (IIS 8)

I have an IIS 8 (win 2012 r2) server and i want to bind the same web site to multiple domains and same certificate.
I can’t use wildcard since the domains are different domains.
is there a way to use the same certificate to all my sites?
Do i need to create a different certificate for each domain?

Hi @haviay

Yes you should look into what a SAN Certificate is. It allowed multiple different domains to be covered by one certificate.

I would reccomend you use a software such as certify or letsencrypt-win-simple to do the certificate for you

https://certify.webprofusion.com/home/features

Andrei

Thanks man,
does it can help when i dont know which domains are pointing to my site?

I mean that my customers always add domains by themselve
and i dont even know about it

In this case, usually the control panel software your clients use to add domains is what interfaces with Let’s Encrypt and assigns the certificates in your server. For example, CPanel and Plesk both ship plugins that integrate with Let’s Encrypt easily. Perhaps your control panel software does as well.

you mean that i have to create a certificate for each domain?
Can you send me a link with the details?

The large provider’s integration guide answers this question:

Multi-domain (SAN) Certificates

Our issuance policy allows for up to 100 names per certificate. Whether you use a separate certificate for every hostname, or group together many hostnames on a small number of certificates, is up to you.

Using separate certificates per hostname means fewer moving parts are required to logically add and remove domains as they are provisioned and retired. Separate certificates also minimize certificate size, which can speed up HTTPS handshakes on low-bandwidth networks.

On the other hand, using large certificates with many hostnames allows you to manage fewer certificates overall. If you need to support older clients like Windows XP that do not support TLS Server Name Indication (SNI), you’ll need a unique IP address for every certificate, so putting more names on each certificate reduces the number of IP addresses you’ll need.

For most deployments both choices offer the same security.

For example, the cpanel plugin uses one certificate per domain, but WordPress.com uses many names per certificate. It’s mainly about what’s easiest for integrating with the thing that sets up web sites in the first place.

read the manual :smiley:

but like most things in computing if it can’t find a configuration or you don’t tell it what you want to do it’s not going to figure it out by itself

In the case of certify it uses your IIS configurations to find a list of domains. lets-encrypt-win-simple gives you a bit more flexibility however - it won’t figure out who’s connecting to your server as it also looks at IIS bindings or waits for the user to enter the right domains.

If you have customers that access your web server without a specific binding and hostname etc that’s a challenge for you to sort out :smiley:

Andrei

If i understood you well
it is better to create a different certificate for each domain.
How can i create certificate through API?

both of these points were covered earlier in the post - no need to repeat myself :smiley:

If you want to programmatically create certificates from whatever application your clients use to add domains to your server, you can use one of the client libraries.

If you want to obtain certificates based on your current IIS configuration or manually, Andrei has indeed answered your question with several client options, but they are also listed higher up on the same page.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.