Mark Keats

I have just run into an interesting issue with IIS7 when using the HTTPS protocol to secure a site. At work we have a Salesforce integration that loads our ASP.NET application inside an IFrame, but because Salesforce is secured over HTTPS and our application isn’t users were receiving a ”This page contains non-secure content…’ error message when using their Salesforce application.

All our client system are available as sub-domains under our company’s main domain i.e. client1.domain.com, client2.domain.com, etc. To provide us with flexibility and the most cost effective solution I purchased a wildcard SSL certificate from GoDaddy, which would secure *.domain.com; allowing us to use a single SSL certificate for all our clients.

Installing the SSL certificate in IIS is fairly straigh forward, and is covered in detail on the GoDaddy support site. The problem starts when you try to add a binding to a site using HTTPS. As shown in the screenshot below you will see that when you choose the HTTPS protocol the host name box is disabled:

Researching this brings up the reasoning behind it, as detailed in a post on Thomas Deml’s blog:

The host name is encrypted in the SSL blob that the client sends. Because the host name is part of the binding IIS needs the host name to lookup the right certificate. Without the host name IIS can’t lookup the right site because the binding is incomplete. Without the certificate IIS can’t decrypt the SSL blob that contains the host name.

Luckily there is a way to get round this, but it will only work if all the sites you want to secure in IIS are covered by a single SSL certificate. As all our sites would be secured with just our one wildcard certificate I was able to use this method.

First you must set-up the Default Web Site on your server (i.e. the site that has no host header specified) to have a HTTPS binding. This HTTPS binding must be configured to use your wildcard SSL certificate, as any bindings with host names we add later to other sites will use the certificate selected here.

Once you have this configured you then need to run the following command (found in C:\Windows\System32\Inetsrv\) for each site you want to secure:

appcmd set site /site.name:"<SiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<HostHeader>']

Return to IIS and you will now see that your sites have a HTTPS binding with a host header and the SSL certificate that was specified for your Default Web Site is selected:

One last point to make here is that if you try to edit this binding IIS will delete the host header and change the SSL certificate back to ‘Not Selected’. If this happens you will need to delete the binding and re-run the command line to add it again.