SAN Certificate for IIS7 Server (How Do I Do It?)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Multiple domain names, eight in all

I ran this command: n/a

It produced this output: n/a

My web server is (include version): IIS7

The operating system my web server runs on is (include version): Win 7 64 bit SP1

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Using IIS7 management tools

Some important details:
We have a dynamic IP address from our ISP
We use Namecheap domains and dynamic DNS service
We’re running Windows 7 64bit SP1, which has IIS7

So far, we’ve been able to secure only one site. Any other site tries to bind to port 443 results in a port conflict. This is not the case with port 80 (all sites bind HTTP to port 80 with no issues).

The domain names are diverse and there is no common root domain, so the binding of host headers defined in the SAN isn’t a viable option, so I’ve read.

It was suggested that I get a SAN certificate to cover all eight web domains/sites on this server because of the limitations of only being able to bind one cert to port 443.

I am looking for a walk through the steps assistance with this as it’s outside of the script I used to install these certs initially.

How do I request a SAN cert? How do I install it so it covers all eight domains?


#2

There are several ACME clients for Windows…
But IIS7 does NOT support SNI.
SNI allows a single IP to host multiple site names.
IIS8(+) is required for SNI - or a recent release of Apache for Windows, or NGINX for Windows, can be used to proxy all incoming requests to IP individualized IIS7 sites.


#3

SAN certificates don’t require SNI, but it’s not clear to me whether it’s possible to “bind” a single certificate to multiple websites in IIS7.

As for how to create a SAN certificate … you do it the same way as you do it for a non-SAN certificate. Just add more domains to it.


#4

I used Letsencrypt.exe from the letsencrypt-win-simple package to generate certs and install them. But I’m not sure if it’s possible to add multiple domain names using their tool.

If I succeed in creating a SAN cert, how does it get bound? Do I bind it to “default web site” or some other way, such as one of the actual web sites?


#5

Each website that needs TLS would require the SAN cert bound to it.
However, since they are all on the same IP and IIS7 doesn’t support SNI, you will probably get the output of one site no matter which name you connect to.


#6

Yes, and the problem is that there is a certificate mismatch when I allow the cert for site A to be used for site B.


#7

SAN certs are supported by all ACME clients (AFAIK).
You would bind the SAN cert like you would bind any other certs - one to every site that requires encryption [you simply use the same one over and over].

Probably because you don’t yet have a SAN cert - or are still using IIS7 (which doesn’t support SNI).