How to Assign Unique SSL Certificates to Multiple IIS Sites with Shared 443 Bindings


2 views

When managing multiple websites on IIS 8.5 with separate hostnames, administrators often encounter certificate assignment conflicts despite having unique host header bindings. The core issue manifests when attempting to modify SSL certificates for individual sites sharing the same IP:443 binding combination.

IIS implements bindings at the protocol level (HTTPS) rather than the hostname level when it comes to certificate assignment. This creates the warning message:

At least one other site is using the same HTTPS binding...

The system enforces certificate consistency across identical protocol bindings regardless of host header differences.

Server Name Indication (SNI) allows IIS to maintain multiple certificates on a single IP address. Implementation requires:

  1. Windows Server 2012 or later (IIS 8+)
  2. Client browsers supporting SNI (all modern browsers)

To configure via PowerShell:

# First remove existing binding
Remove-WebBinding -Name "Site1" -Protocol "https" -HostHeader "site1.example.com"

# Recreate with SNI flag
New-WebBinding -Name "Site1" -Protocol "https" -Port 443 -HostHeader "site1.example.com" -SslFlags 1

# Assign certificate (thumbprint from your cert store)
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq "A1B2C3..."}
New-Item -Path IIS:\SslBindings\0.0.0.0!443!site1.example.com -Value $cert -SslFlags 1

For environments requiring legacy support:

# Assign unique IP to each site
Set-WebBinding -Name "Site1" -BindingInformation "*:443:" -PropertyName "IPAddress" -Value "192.168.1.101"

# Then assign certificates independently
Set-WebBinding -Name "Site1" -Protocol "https" -CertificateThumbprint "A1B2C3..."

Confirm proper certificate assignment using:

Get-WebBinding -Name "Site1" -Protocol "https" | Select-Object -Property *

Or through IIS Manager:

  1. Open "Server Certificates" feature
  2. Check "Assigned To" column for each certificate
  3. Verify bindings in each site's "Bindings" dialog

Certificate still shared: Ensure no two sites share identical binding configurations (IP:Port:Hostname).

Browser warnings: Clear SSL session cache and restart browser after changes.

Application pools: Recycling application pools may be necessary for changes to take effect.

When managing multiple websites on IIS 8.5 with separate hostnames, you might encounter a frustrating scenario where changing an SSL certificate for one site affects all others. The warning message clearly indicates that IIS is treating your HTTPS bindings as shared resources, even when hostnames are properly configured.

IIS uses a combination of IP address, port, and hostname to identify unique bindings. The issue occurs because:

  • By default, IIS considers port 443 bindings as shared across sites
  • The certificate selection dialog doesn't properly respect hostname differentiation
  • The binding configuration isn't properly isolated per site

Here's how to properly configure unique certificates per site:

Method 1: Using IIS Manager

  1. Open IIS Manager and select your site
  2. Click "Bindings" in the right-hand Actions pane
  3. Select the HTTPS binding and click "Edit"
  4. Make sure the "Host name" field contains your specific domain
  5. Click "Select" under SSL certificate and choose your specific certificate
  6. Check "Require Server Name Indication" (SNI)

Method 2: Using PowerShell

For automation or bulk changes, use this PowerShell script:


# Get the existing binding
$site = Get-WebBinding -Name "YourSiteName" -Protocol "https"

# Remove the old binding
Remove-WebBinding -Name "YourSiteName" -BindingInformation $site.BindingInformation

# Add new binding with specific certificate
New-WebBinding -Name "YourSiteName" -IPAddress "*" -Port 443 -HostHeader "yourdomain.com" -Protocol "https"

# Assign certificate (replace thumbprint with your cert's)
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq "YOUR_CERT_THUMBPRINT"}
New-Item -Path "IIS:\SslBindings\0.0.0.0!443!yourdomain.com" -Value $cert
  • Always use SNI (Server Name Indication) for modern browsers
  • Verify certificate bindings using: netsh http show sslcert
  • For wildcard certificates, ensure the binding hostname matches the certificate scope
  • Restart IIS after making changes: iisreset

If you still experience problems:

  1. Check for duplicate bindings using: Get-WebBinding | Where-Object {$_.Protocol -eq "https"}
  2. Verify certificate permissions with: winhttpcertcfg -l
  3. Ensure the certificate is properly imported to the Local Machine store