MDCs and Wildcard certificates and single IP addresses

Part One : IIS

Based on information in the below two articles we have found that if you are using the correct patched server versions IIS6 on windows 2003 server (service pack 1) it is entirely possible to run multiple SSL secured sites

http://support.microsoft.com/Default.aspx?id=187504
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx

Below are some extracts from these articles on how this may be done

Obtaining a Wildcard /MDC Server Certificate (IIS 6.0)

A wildcard server certificate works with many SSL sites, because a wildcard (*) is used to stand for the host header name for each of the sites. All SSL-enabled Web sites that use the same IP/port binding and are distinguished only by their host header names must use the same wildcard server certificate.

Important

Not all Certification Authorities (CAs) issue Wildcard / MDC certificates.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName 'mmc %systemroot%\\system32\\inetsrv\\iis.msc'.

Procedures
To obtain a wildcard server certificate
1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.
2. Right-click the Web site for which you want to obtain a wildcard server certificate, and then click Properties.
3. On the Directory Security tab, under Secure communications, click Server Certificate.
4. In the Web Server Certificate Wizard, click Create a new certificate.
5. Follow the Web Server Certificate Wizard, which will guide you through the process of requesting a new server certificate. On the Your Site's Common Name page, type a name in the Common name box, using the following format:

*.
for example, *.example.com

or if you wish to request an MDC certificate you will specify a phase or description of what you want to appear on the certificate for example “Secure Sites hosted by (webhost name)”.

By default, the certificate request file is saved as C:\\Certreq.txt, but the wizard allows you to specify a different location.
6. Click Finish to complete the wizard.

After you receive the wildcard server certificate from the Certification Authority (CA), assign the certificate on all Web sites that have the same IP/port binding and are distinguished only by host header name.

You can do this by click on server certificate and “assign an existing certificate”

Important The installation procedure for these certificates is identical to any other certificates.

Once the SSL has been installed go to web site tap, to “IP address” make sure this is

Select advanced next to “IP address”

Edit the “Multiple identities for the web site” and add a “host header value” is the host header for the Web site, for example, site2.contoso.com or site4.contoso.com

Click OK and apply.

Configuring Server Bindings for SSL Host Headers (IIS 6.0)

In addition to installing a wildcard server certificate on SSL-enabled Web sites, you must also configure the SecureBindings metabase property on each site so it contains the host header name of the site. All SSL-enabled sites that use the same IP/port binding and are distinguished only by host header name must use the same wildcard server certificate.
Important
You must configure secure bindings for all SSL-enabled Web sites that use the wildcard server certificate to prevent unauthorized use of the certificate.
Important
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer\\Administrator cmd to open a command window with administrator rights and then type cscript.exeScriptName (include the script's full path and any parameters).

Procedures

To configure the SecureBindings metabase property for SSL host headers

1. Click Start, click Run, type
cmd
in the Open box, and then click OK.
2. Type the following command at the command prompt:

cscript.exe c:/inetpub/adminscripts/adsutil.vbs set /w3svc//securebindings ':443:'

where host header is the host header for the Web site, for example, site2.contoso.com or site4.contoso.com.

3. Go to the local computer right click all task and restart IIS

Once the sites have been restart click on web site folder and make sure there is port 80 for each domain and no SSL port number


Ensuring That Secure Content Is Served Over HTTPS Only (IIS 6.0)

After a certificate is installed on a site, it can be served over HTTP or HTTPS. To ensure that only SSL requests are served, you must configure the AccessSSL metabase property to force SSL content requests only.
Important
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer\\Administrator cmd to open a command window with administrator rights and then type cscript.exeScriptName (include the script's full path and any parameters).
Procedures
To force SSL content requests only
1. Click Start, click Run, type
cmd
and then click OK.
2. Type the following command at the command prompt:
cscript.exe adsutil.vbs set /w3svc//AccessSSL TRUE
where is the unique number
that identifies the site.