IIS SSL Multiple Sites Alert<\/figcaption><\/figure>\nAccepting or rejecting really depends on your server and what sites and certificates are actually in use. However, this may impact on the other sites and my past experience has been that other sites can be left in an unstable state either without a binding, a certificate, or a mix-up on which certificate.<\/p>\n
Change SSL Certificate for Multiple Sites<\/h2>\n
Use the following steps to prepare manual change at the command line in order to avoid the above error message and address all sites using the same IP address : port and certificate at the same time.<\/p>\n
All the detailed information has been sanitised to use dummy data, you will need to substitute the relevant information for your certificates and server.<\/em><\/p>\nFirst examine the certificates in use opening a command prompt – this is all read activity so Run as Administrator is not required, yet.<\/p>\n
certutil -store My<\/pre>\nThis will display lists of certificates and applications like the following. I selected the 2 that I was looking for as follows:<\/p>\n
the old certificate – based on NotBeforeDate – you need the highlighted hash from each certificate<\/p>\n
================ Certificate 7 ================
\nSerial Number: 1234567890abcdef1234567890abcdef1234
\nIssuer: CN=AlphaSSL CA – G2, O=AlphaSSL
\nNotBefore: 01\/01\/2014 11:27 AM
\nNotAfter: 31\/12\/2016 11:27 AM
\nSubject: CN=*.yourdomain.tld, OU=Domain Control Validated
\nNon-root Certificate
\nTemplate:
\nCert Hash(sha1): 12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78<\/strong>
\nKey Container = 12345a8277cd156abcd09d20dcba5c31_g3239vv5-8181-1234-b6ba-bbbb
\n78ccd34
\nProvider = Microsoft RSA SChannel Cryptographic Provider
\nEncryption test FAILED
\nCertUtil: -store command completed successfully.<\/address>\nand the new certificate – based on NotBeforeDate<\/p>\n
================ Certificate 4 ================
\nSerial Number: 67890abcdef12341234567890abcdef12345
\nIssuer: CN=AlphaSSL CA – SHA256 – G2, O=GlobalSign nv-sa, C=BE
\nNotBefore: 01\/01\/2015 9:02 AM
\nNotAfter: 31\/12\/2016 11:27 AM
\nSubject: CN=*.yourdomain.tld, OU=Domain Control Validated
\nNon-root Certificate
\nTemplate:
\nCert Hash(sha1): 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78 12 34 56<\/strong>
\nKey Container = 1234abcd54d7161def4863d4d6b96633_f3239aa5-8080-1234-b6ba-abcd
\n78ccd34
\nProvider = Microsoft RSA SChannel Cryptographic Provider
\nEncryption test FAILED<\/address>\nNext, identify the ip address that is in use and, assuming that standard https is being used, port 443. This could be done by checking within IIS first to check which common IP address is being used.<\/p>\n
netsh http show sslcert<\/pre>\nWhich will show all the ssl certificate bindings, or if you know which ipaddress, then be selective<\/p>\n
netsh http show sslcert ipport=223.27.11.71:443<\/pre>\nWill show the results like:<\/p>\n
SSL Certificate bindings:
\n————————-IP:port\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 223.27.11.71:443
\nCertificate Hash\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1234567890abcdef1234567890abcdef12345678
\nApplication ID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {34567812-3456-7890-abcd-ef123456789d}<\/strong>
\nCertificate Store Name\u00a0 : MY
\nVerify Client Certificate Revocation\u00a0\u00a0\u00a0 : Enabled
\nVerify Revocation Using Cached Client Certificate Only\u00a0\u00a0\u00a0 : Disabled
\nUsage Check\u00a0\u00a0\u00a0 : Enabled
\nRevocation Freshness Time : 0
\nURL Retrieval Timeout\u00a0\u00a0 : 0
\nCtl Identifier\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : (null)
\nCtl Store Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : (null)
\nDS Mapper Usage\u00a0\u00a0\u00a0 : Disabled
\nNegotiate Client Certificate\u00a0\u00a0\u00a0 : Disabled<\/address>\nThe application ID is what is needed from the above but check that the correct certificate hash (the old one) is associated with this binding.<\/p>\n
Now select all the relevant information from the results as shown<\/p>\n
Old certificate hash (with spaces removed)<\/p>\n
1234567890abcdef1234567890abcdef12345678<\/em><\/p>\nNew certificate hash (with spaces removed)<\/p>\n
7890abcdef1234567890abcdef12345678123456<\/em><\/p>\nand the AppID<\/p>\n
{34567812-3456-7890-abcd-ef123456789d}<\/em><\/p>\nThe following two steps will need a new elevated command window selected with ‘Run as Administrator’<\/p>\n
Delete old binding<\/p>\n
netsh http delete sslcert ipport=223.27.11.71:443<\/pre>\nThen add new using hash and appid<\/p>\n
netsh http add sslcert ipport=223.27.11.71:443 certhash=7890abcdef1234567890abcdef12345678123456 appid={34567812-3456-7890-abcd-ef123456789d}<\/em><\/pre>\nwhich should result in<\/p>\n
SSL Certificate successfully added<\/pre>\nAnd finally if you want to check that it has been applied<\/p>\n
netsh http show sslcert | findstr \/R \"7890abcdef1234567890abcdef12345678123456\"<\/pre>\nor to check that the old certificate hash is not still in use on another ipaddress:port binding use the above with the old certificate hash.<\/p>\n
<\/p>\n
Reference: http:\/\/serverfault.com\/questions\/610841\/replace-wildcard-certificate-on-multiple-sites-at-once-using-command-line-on-i<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"“At least one other site is using the same HTTPS binding …..”\u00a0 is a prompt that every Windows Server IIS administrator has come across at some point.\u00a0 It arises when trying to change or update an SSL certificate on Windows server IIS platform where there are multiple websites and potentially multiple certificates. Multiple Sites Using […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[116],"class_list":["post-1275","post","type-post","status-publish","format-standard","hentry","category-windows-servers","tag-iis-ssl-windows-server"],"_links":{"self":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/comments?post=1275"}],"version-history":[{"count":4,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1275\/revisions"}],"predecessor-version":[{"id":1281,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1275\/revisions\/1281"}],"wp:attachment":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/media?parent=1275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/categories?post=1275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/tags?post=1275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"IIS](\"http:\/\/howden.net.au\/thowden\/files\/2015\/05\/IIS-SSL-MultipleSites-Error.png\")
<\/a>