Multiple SSL certificates in one azure deployment

7
votes

I have a problem similar to (but not the same) as this:
Azure web role - Multiple ssl certs pointing to a single endpoint

My azure package contains multiple sites. Some of these sites are on domain abc and others are on domain def. I need to secure both domains with SSL but can't figure out how (if it's possible) to do this.

Here's an example of my config:

<Sites>
    <Site name="sub1.abc" physicalDirectory="***">
        <Bindings>
            <Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.abc.com" />
            <Binding name="HttpsInABC" endpointName="HttpsInABC" hostHeader="sub1.abc.com" />
        </Bindings>
    </Site>
    <Site name="sub1.def" physicalDirectory="***">
        <Bindings>
            <Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.def.com" />
            <Binding name="HttpsInDEF" endpointName="HttpsInDEF" hostHeader="sub1.def.com" />
        </Bindings>
    </Site>
</Sites>
<Endpoints>
    <InputEndpoint name="HttpIn" protocol="http" port="80" />
    <InputEndpoint name="HttpsInABC" protocol="https" port="443" certificate="abc" />
    <InputEndpoint name="HttpsInDEF" protocol="https" port="443" certificate="def" />
</Endpoints>
<Certificates>
    <Certificate name="abc" storeLocation="LocalMachine" storeName="My" />
    <Certificate name="def" storeLocation="LocalMachine" storeName="My" />
</Certificates>

This configuration gives me the following error:

The same local port '443' is assigned to endpoints HttpsInABC and HttpsInDEF in role ***.

Any suggestions on how I can work around this without having to host them separately?



Based on @JoelDSouza's answer:

Will using different ports work for you

What are the implications of SSL on ports 444/445/446 etc. in Windows Azure?

4
sslazureiis-7hostingssl-certificate
+1. Good question flemster - mattytommo
Possible duplicate - stackoverflow.com/questions/10442858/… - ChrisF♦
@ChrisF. My question is regarding SSL for multiple different domain names rather than sub domains. - Paul Fleming
@flem - A duplicate answer was posted which indicates the questions may be duplicate. I left a comment to get feedback on whether it was a duplicate or not. - ChrisF♦

4 Answers

3
votes

You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.

IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.

I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

2
votes

I fear you are out of luck - as noted in the article you linked to, one SSL certificate per server IP. I guess by hosting them separately (that feels odd to say considering it's cloud based) you will get two IPs and therefore can add an SSL certificate to each IP address.

You could perhaps move everything to one domain and use folders within that domain to host the separate sites - that's the only way you will be able to secure everything with your SSL certificate without having two hosting packages: ie instead of:

www.domain1.com and www.domain2.com use www.mydomain.com/domain1/ and www.mydomain.com/domain2/

0
votes

Will using different ports work for you? You can use SSL cert 1 with myapp.cloudapp.net:443 and SSL cert 2 with myapp.cloudapp.net:8443

0
votes

If you don't need wildcard certificates you can use a multi-domain certificate. This way you only need one certificate. The downside is that each sub-domain needs to be specified, which can get expensive if you have a lot.