From the dawn of HTTPS-time, admins have struggled with setting up multiple SSL certificates on a single server. At the same time, we have Sitecore’s licensing model which really drives the business to get the most value out of fewer Sitecore instances. This leads teams to encounter multi-tenant installations that also require SSL protection, which in turn leads to me receiving questions like the following from clients:
“How do we get Sitecore to have multiple HTTPS websites on a single instance?”
The multiple SSL certificates problem is not because of a limitation on the Sitecore side, but rather a limitation in Internet Information Services (IIS). No amount of configuring Sitecore site definitions will help you solve this problem. So how do we solve this issue?
Using multiple IP Addresses
The typical solution that works for all versions of IIS and any certificate is to make sure you use different endpoints (IP Address/Port combinations) on your bindings so that you can add two SSL bindings to your site. This will allow you to select two different certificates.
If multiple IP addresses is undesirable, you can also try to solve the issue with the certificate itself. While a wildcard certificate may not be an option in this scenario, you may want to investigate a Subject Alternative Name (SAN) certificate which allows you to have multiple distinct domains explicitly specified against a single certificate.
IIS8 and SNI
IIS8/Windows Server 2012 now supports Server Name Indication (SNI) which will allow you to use a virtual domain as part of SSL negotiation. This works around the IP/Port endpoint uniqueness problem by allowing SSL bindings against the host name. There are some older browsers that do not support SNI, such as any version of IE on Windows XP.
In case one of the above options appeals to you, you can dive into more depth with these posts:
- Bind multiple sites on same IP address and Port in SSL (MSDN, Mathur Varun, June 2013)
- Subject Alternative Name (SAN) certificates (DigiCert)
- Server Name Indication (SNI) and browser support (DigiCert)
- IIS 8.0 Server Name Indication (SNI) – SSL Scalability (IIS.NET, Shaun Egan, February 2012)