Azure Service - can I add a second SSL certificate for a second domain name?

2
votes

Background:

I have an Azure Service Account running an MVC website. It has an SSL certificate for secure access: https://www.caselines.co.uk

This works great.

We have been asked to provide access to the website via another domain e.g. www.anotherdomain.com

By pointing the second domain name at the service account (using the www cname property of the domain) we can access the website using www.anotherdomain.com

If we use https://www.anotherdomain.com we get the message 'There is a problem with this website's security certificate'. If we proceed then the site works great but the address bar correctly identifies that there is a certificate error.

Question:

Here's the question: If I load a second SSL certificate (for www.anotherdomain.com) into the service account and add a second entry into the certificates sections of the service configuration and service definition files, will that resolve the certificate error issue?

2
azuressl-certificate

2 Answers

2
votes

In Windows Azure Cloud Service the SSL certificate binds to the port which you have enabled in the service first as external, in your case it is 443. And there is only one 443 port so only one certificate can bind to it. Now in your case, you have another SSL certificate and want to bind to same 443 port, there is the problem because you have already used the port 443 by binding previous certificate and it will not work.

When an IIS server supports multiple websites within, it runs all of them on different port internally (both http and https) and based in incoming header the request is sent internally to different site/domain which works fine.

However if you have only one site in your IIS configured to use HTTP and HTTPS (with certificate), you can only authenticate with one SSL cert based on whatever certificate is bind to that HTTPS port.

If you have a two certificates (having same CA root) then you can chain them together into one single certificate. With HTTPS port you sure can use a chained certificate so something you can try and see if this meets your requirement and works both. Note: I haven't tried something similar i.e. having two separate domain SSL certs pointing to same HTTPS port so not sure what the result could be.

0
votes

AvkashChauhan's answer is right regarding that you can have only one binding per port, but you can use hostheaders in order to have multiple websites listening to the same port.

And now, with IIS 8 (Windows Server 2012) supporting SNI, you can have "HTTPS hostheaders".

The only problem is that you will need to automate the certificate installation and the IIS binding configuration.

I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/