Multiple SSL certificates to access one ASP.NET application in IIS?

Your problem is unsolvable due to the way the SSL protocol and virtual hosts work. You have to use only a single certificate per IP, regardless of the number of name based virtual hosts served by it As Brian has already suggested, you can place several alternative virtual host names on that single certificate (using the subjectAltName x.509 extension - see tools.ietf.org/html/rfc3280#section-4.2.1.7 ), but it will still be just a single certificate. Visitors to one of your virtual hosts will be able to determine all the other virtual hosts simply by analyzing the certificate extension The limitation is due to how HTTPS protocol is organized - it's simply HTTP stacked on top of SSL So when a client connects to the server, it first has to establish a SSL session - this is the stage during which the server presents the certificate At this stage, the server does not know what virtual host the client will ask for because the client will do it later, only after having established the SSL session Only after the SSL session has been established, the client initiates the HTTP dialogue by sending the HTTP client headers, which include the "Host:" header indicating the web site's host address the client is asking for.

This is long after the server certificate has been sent to the client.

Your problem is unsolvable due to the way the SSL protocol and virtual hosts work. You have to use only a single certificate per IP, regardless of the number of name based virtual hosts served by it. As Brian has already suggested, you can place several alternative virtual host names on that single certificate (using the subjectAltName x.509 extension - see tools.ietf.org/html/rfc3280#section-4.2.1.7), but it will still be just a single certificate.

Visitors to one of your virtual hosts will be able to determine all the other virtual hosts simply by analyzing the certificate extension. The limitation is due to how HTTPS protocol is organized - it's simply HTTP stacked on top of SSL. So when a client connects to the server, it first has to establish a SSL session - this is the stage during which the server presents the certificate.At this stage, the server does not know what virtual host the client will ask for because the client will do it later, only after having established the SSL session.

Only after the SSL session has been established, the client initiates the HTTP dialogue by sending the HTTP client headers, which include the "Host:" header indicating the web site's host address the client is asking for. This is long after the server certificate has been sent to the client.

Instead of using a wildcard certificate you could put the alternate names in the Subject Alternate Name (SAN) attribute of the SSL certificate. You will configure IIS to use the same certificate for both bindings. Hope this helps, -brian.

You could run a reverse proxy (use nginx for example) in front of your application. The reverse proxy would take care of the two certificates for you. The reverse proxy would listen on https :// fqdn1/ and https :// fqdn2/ with respective certificates and would proxy for http :// localhost/application/ or whatever.

HTH Bram.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions