Using a Wildcard SSL Certificate in IIS 7.x
For a long time we only had an SSL certificate for www.mojoportal.com, but recently we purchased a wildcard SSL certificate so we can use the certificate for anything.mojoportal.com, in other words we now have SSL on demo.mojoportal.com, storedemo.mojoportal.com, and all the foreign language community sites like de.mojoportal.com and nl.mojoportal.com.
So a wild card SSL certificate is a certificate for *.mojoportal.com which means we can use it for as many different .mojoportal.com sites as we care to create. I had some struggle with setting up the wildcard SSL certificate on my server, so I thought I should make some notes here for others who may encounter the same problems. There are several points along the way where one can easily make a mistake and create more difficulty, so hopefully these notes will help you do it the right way the first time.
Where to get a Wildcard SSL Certificate
There are a number of places where you can get SSL certificates. The best deal I've found is StartSSL which Joe Davis recommended to me, and that is where we got our wildcard SSL certificate. Previously we had obtained a certificate for www.mojoportal.com from RapidSSL, and they also have Wildcard SSL certificates but the cost is higher.
Generating a CSR (Certificate Request)
You generate a certificate request in IIS 7.x from the main server node where you see the icon for Certificates, double click it and on the right you will see a link to generate a certificate request. It is important that when you generate the CSR you generate it for *.yourdomain.com not for any specific host like www.yourdomain.com
Make sure you use *.yourdomain.com
Make sure you set the bit length to 2048
You can save the certificate request as a .txt file and open it in a text editor so you can copy the request and paste it when completing the steps to obtain an SSL certificate.
Installing The SSL Certificate
When you receive your certificate it will be just a text file, save it on disk on your server with a .cer extension, then you click the link in IIS for "Complete Certificate Request" (shown in the 2nd screen shot above). You will then browse to the .cer file you saved and choose it.
IMPORTANT: When you install the certificate you must enter a friendly name for the certificate, make sure you name it *.yourdomain.com. I made the mistake of not naming it like that and what happens is that IIS 7.x won't let you set an SSL host header unless the friendly name starts with *. You can see in this example how it looks if the certificate friendly name does not start with *:
See how it is greyed out and you cannot set the host name. If you don't set a host name then you try to configure the certificate on another site, it causes an error and the second site won't start.
Note, if you made the same mistake as me and did not make the friendly name of the certificate start with *, you can fix it but not from IIS. Thanks to Joe Davis who told me how to rename the friendly name. Click the Start button and then type MMC to load the Microsoft Management Console. Then add the snap in for Certificate Management. From there you can right click the certificate and choose properties and you will be able to edit the friendly name.
Once the certificate is installed with a friendly name starting with *, it will not be disabled and you will be able to set the SSL host header
There are other ways of setting the SSL host headers from the command line if it is disabled in the UI, but it is far easier if it is enabled from the UI.
Hope this article helps save you some time.
Additional Resources (links I found while researching this)
Last Updated 2011-02-18