From the dawn of HTTPS-time, admins have struggled with setting up multiple SSL certificates on a single server.  At the same time, we have Sitecore’s licensing model which really drives the business to get the most value out of fewer Sitecore instances. This leads teams to encounter multi-tenant installations that also require SSL protection, which in turn leads to me receiving questions like the following from clients:

“How do we get Sitecore to have multiple HTTPS websites on a single instance?”

The multiple SSL certificates problem is not because of a limitation on the Sitecore side, but rather a limitation in Internet Information Services (IIS).  No amount of configuring Sitecore site definitions will help you solve this problem. So how do we solve this issue?

Using multiple IP Addresses

The typical solution that works for all versions of IIS and any certificate is to make sure you use different endpoints (IP Address/Port combinations) on your bindings so that you can add two SSL bindings to your site. This will allow you to select two different certificates.

SAN certificates

If multiple IP addresses is undesirable, you can also try to solve the issue with the certificate itself. While a wildcard certificate may not be an option in this scenario, you may want to investigate a Subject Alternative Name (SAN) certificate which allows you to have multiple distinct domains explicitly specified against a single certificate.

IIS8 and SNI

IIS8/Windows Server 2012 now supports Server Name Indication (SNI) which will allow you to use a virtual domain as part of SSL negotiation. This works around the IP/Port endpoint uniqueness problem by allowing SSL bindings against the host name. There are some older browsers that do not support SNI, such as any version of IE on Windows XP.

Additional reading

In case one of the above options appeals to you, you can dive into more depth with these posts:

  1. Bind multiple sites on same IP address and Port in SSL (MSDN, Mathur Varun, June 2013)
  2. Subject Alternative Name (SAN) certificates (DigiCert)
  3. Server Name Indication (SNI) and browser support (DigiCert)
  4. IIS 8.0 Server Name Indication (SNI) – SSL Scalability (IIS.NET, Shaun Egan, February 2012)

Published by Jason St-Cyr

Jason is a developer relations leader overseeing the strategy for developer advocacy at Sitecore. This means helping as many developers as possible, with a focus on outreach, nurturing, and technical enablement.

Tags: , , ,

3 Comments

  1. Thanks for sharing. I just finally setup Https on my development machine. Would make a nice addition to your post on building secure websites, starting with developer PC.

    Reply
  2. Pingback: Eleventh day of Christmas… Blogs A-Plenty! | Agile and ALM

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s