Thursday, August 09, 2007

MOSS with SSL Wildcard Certificates and Host Headers

We needed a setup that would work with MOSS combined with Host Headers and SSL. It was using Host Headers or having to go to the Networks Department with a big smile and handing them a RFC for 150+ IP adresses...

Just using Host Headers with IIS is not a problem. Using Host Headers combined with SSL and MOSS is tricky at best. Joel has a good place to start. Combined with the article from Adrian Spear and a bit of testing for the missing MOSS piece of the puzzle we arrived at a working solution.

We have taken the following approach. First we get a list of site ID's and put them aside for later use. We install the Wildcard certificate on the websites, temporary disabling them. Then we tell IIS to set the Host Header on the SSL-enabled websites. As a last step we let MOSS know the Web Applications are using SSL:



  1. Get a list of site ID's:
    cscript %systemdrive%\inetpub\adminscripts\adsutil.vbs enum w3svc /p
  2. Install the WildCard certificate on the IIS Websites.
    Only the first website will keep on running, the rest of the modified websites will stop. This is due to conflicting settings. This will be resolved in the following step.
  3. Set SecureBindings for all websites running SSL, using the following statement, for each website:
    cscript %systemdrive%\inetpub\adminscripts\adsutil.vbs set /w3svc/<Site ID>/SecureBindings ":443:<Host Header>"

    for example:
    cscript %systemdrive%\inetpub\adminscripts\adsutil.vbs set /w3svc/1073495765/SecureBindings ""

    (Get the site ID's from the output of Step 1 and match the site ID with the site Host Header. This can be found in IIS Mananager)
  4. Perform an IISreset to start all the websites again
  5. Now, go to Central Administration > Operations > Alternate Access Mappings > Edit Public Zone URLs and change all SSL-enabled sites from http:// to https://. The precise amount of editing depends on your AAM settings used.
  6. Backup your metabase!

I'm not entirely sure about the step 5, as there are other viable scenario's. On our six MOSS Farms hosting each more than 10 Web Applications it worked like a charm however.

If you want to know more about WildCard SSL Certificates and Host Headers in IIS 6.0, an article from Chris Adams is a good introduction on the subject matter.


So it can be done... awesome. Thanks so much.
This method has worked great for us in production but one thing I was not aware of that has caused us some confusion is that "the secure bindings for an IIS 6.0 Web site are removed when you install or renew a server certificate."

See this article:
That's good to know Greg, thanks!
Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]