Friday, 6 March 2009

Securing Multiple Sub Domains in IIS 7 with Wildcard SSL

This used to be a real pain in IIS 6.0 but it's gotten a lot easier in IIS 7.

Let's say you set up a web server with the following sites...
You could bind each individual site to a specific IP Address but this can be expensive and simply doesn't scale. What you should be doing is using Host Headers to help IIS differentiate requests for the different end-points. For a good overview of how to do this take a look at Setting Host Headers in IIS 6.0.

Now, you can do exactly the same thing with https - but there's no UI for it. Possibly the most requested feature hasn't made it into IIS 7. Amazing!

So, here's what to do...
  1. Add a new binding for the web site. Set it to be https, keep the default port and choose the SSL Certificate from the dropdown.
  2. Open <$System32>/inetsrv/Config/applicationHost.xml.
  3. Search for the host header for that site.
  4. Edit the https binding by appending the host header (it follows the same pattern as the http entry.