SSL Host Headers in IIS 7

1. Obtain an SSL certificate and install it into IIS 7. For step-by-step instructions on how to do this, see Installing an SSL Certificate in Windows Server 2008 (IIS 7.0).

2. Once the certificate is installed into IIS, bind it to the first site on the IP address.

3. Open the command prompt by clicking the start menu and typing “cmd” and hitting enter.

4. Navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.

5. In the Inetsrv folder, run the following command for each of the other websites on the IP address that need to use the certificate (copy both lines):

appcmd set site /site.name:”<IISSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

Replace <IISSiteName>  with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)

6. Test each website in a browser. It should bring up the correct page and show the lock icon without any errors. If it brings up the web page of the first IIS site, then SSL Host Headers haven’t been set up correctly.

Move or copy an SSL certificate from a Windows server to another Windows server

If you have multiple Windows servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate to .pfx file andimport it on a new Windows server. This may also be necessary when you switch hosting companies. We will go over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate to an Apache or other type of server.

We will assume that you have already successfully installed the SSL certificate on one Windows web server. You will follow these steps to move or copy that working certificate to a new server:

1. Export the SSL certificate from the server with the private key and any intermediate certificates into a .pfx file.
2. Import the SSL certificate and private key on the new server.
3. Configure your web sites to use them in IIS.

On a Windows server you will need to export your certificate from the MMC console to a .pfx file with your private key. You can then copy that .pfx file to the new Windows server and import it. The following screenshots are from a Windows Server 2008 machine but any differences for Windows Server 2003 are noted.

Export the certificate from the Windows MMC Console

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 (IIS7) you can also import and export certificates directly in the Server Certificates section in IIS. Click here to hide or show the images

1. Click on the Start menu and click Run.
2. Type in mmc and click OK.
3. Click on the File menu and click Add/Remove Snap-in…
4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.
5. Click on Computer Account and click Next.
6. Leave Local Computer selected and click Finish.
7. If you are using Windows Server 2003, click the Close button. Click OK.
8. Click the plus sign next to Certificates in the left pane.
9. Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export…
10. In the Certificate Export Wizard click Next.
11. Choose “Yes, export the private key” and click Next.
12. Click the checkbox next to “Include all certificates in the certification path if possible” and clickNext.
13. Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.
14. Click Browse and find a location to save the .pfx file to. Type in a name such as “mydomain.pfx” and then click Next.
15. Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Import the certificate in the Windows MMC Console

After you have exported the certificate from the original server you will need to copy the .pfx file that you created to the new server and follow these import instructions.

1. Click on the Start menu and click Run.
2. Type in mmc and click OK.
3. Click on the File menu and click Add/Remove Snap-in…
4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.
5. Click on Computer Account and click Next.
6. Leave Local Computer selected and click Finish.
7. If you are using Windows Server 2003, click the Close button. Click OK.
8. Right-click on the Personal folder and select All Tasks and then Import…
9. In the Certificate Import Wizard click Next.
10. Click the Browse button and change the file type from “X.509…” to “Personal Information Exchange (*.pfx, *.p12)”. find the .pfx file that you copied over and click Open and then Next.
11. Enter the password that you set when you exported the .pfx file and click “Mark this key as exportable” so you can export the certificate from this machine as well as the original. Click Next.
12. Click “Automatically select the certificate store based on the type of certificate” and click Next.
13. Click Finish to complete the wizard.
14. You can now click the Refresh button in the toolbar to refresh and find your certificate in the Certificates folder under Personal. You can verify that it was imported correctly by double-clicking it and looking for “You have a private key that corresponds to this certificate” at the bottom of the certificate dialog.
15. Close the MMC console. You do not need to save any changes.

After you have imported the .pfx file, you will either need to assign the certificate in IIS, enable the certificate for the services you need in Exchange or select the certificate in any other software that you are using. Because IIS is the most common place to use SSL certificates, we have included the instructions for assigning a website to use the new certificate in IIS 6 (Windows Server 2003). If you have Windows Server 2008, just follow the binding part of the IIS 7 SSL Certificate Installation instructions.

1. In IIS, right-click on the website that needs the certificate and click on Properties.
2. Click the Directory Security tab and click on the Server Certificate button to run the server certificate wizard.
3. If you already have a certificate on that website you will need to remove it and then start the wizard again.
4. Click “Assign an existing certificate” and click Next.
5. Select the new certificate that you just imported and click Next.
6. Click Finish. You may need to restart IIS for the certificate to start working with the assigned website.

While there are several steps in the process, moving an SSL certificate from one Windows server to another is an easy task. It involves exporting a working SSL certificate from the MMC console to a .pfx file which contains the certificates and private key and then importing that file in the MMC console of the new or additional server. You will then need to assign or bind the certificate to a website in IIS in order to start using it on a website. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page

How to Move or Copy an SSL Certificate from one server to Another

Do you have multiple servers that need to use the same SSL certificate? This is very common in an environment where a load-balancer is used to share the load of a website across several different servers. This is also becoming more common as wildcard certificates and UC SSL certificates increase in popularity because they enable a single certificate to work on multiple different domains or subdomains using SSL Host Headers.

What about when you set up a new server or switch hosting companies? How do you move the current SSL certificate to the new server? What if you need to move it to a different type of server? The answers to all of those questions are contained in the following pages. Essentially, you will export SSL certificates from the server that they are currently installed on, move SSL certificates to the new server, and then import SSL certificates on the new server.

Keep in mind that many certificate authorities, require that you purchase a “server license” for each server that you install an SSL certificate to, even if it uses the same private key. And speaking of private keys, it is slightly less secure to copy the SSL certificate and use the same private key on a different server. If an attacker breaks into one server and gets the private key, he will be able to listen in on the connections that other servers are making.

We will assume that you have already successfully installed the SSL certificate on one web server. You will follow these steps to move or copy that working certificate to a new server:

1. Export the SSL certificate from the server with the private key and any intermediate certificates.
2. Convert the certificate to a different format if you are putting it on a different type of server.
3. Import the SSL certificates and private key on the new server and configure your sites to use them.

Now on to the instructions. What would you like to do?

• Move or copy an SSL certificate from a Windows server to another Windows server
• Move or copy an SSL certificate from a Windows server to an Apache server
• Move or copy an SSL certificate from an Apache server to a Windows server
• Move or copy an SSL certificate from an Apache server to another Apache server
• Move or copy an SSL certificate from a Tomcat/Java server to an Apache server

Exporting/Backing Up to a .pfx File

Exporting/Backing Up to a .pfx File

1. On the Start menu click Run and then type mmc.
2. Click File > Add/Remove Snap-in.
3. Click Certificates > Add.
4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
7. Choose Yes, export the private key and include all certificates in certificate path if possible.
   Warning: Do not select the delete private key option.
8. Leave the default settings and then enter your password if required.
9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

1. On the Start menu click Run and then type mmc.
2. Click File > Add/Remove Snap-in.
3. Click Certificates > Add.
4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Enabling a New Certificate on a Server

1. On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.
2. In the IIS Manager, click the server name.
3. Expand the sites folder.
4. Select the site that you want to secure (usually the default website).
5. On the actions menu in the edit site section, click Bindings.
6. In the site bindings window, click Add. If a binding for https already exists, select the https binding and click Edit.
7. Fill out the information in the add site binding window. In the type drop-down choose https. Set the IP address to the IP address of the site or choose all unassigned. The port for SSL traffic is usually 443. Enter the recently imported certificate in the SSL Certificate field.
8. Click OK. Your SSL Certificate is now installed and the website is configured to accept secure connections. You may have to restart IIS or the server for it to recognize the new certificate.