IIS 8.5, Central Certificate Store, Wildcard SSL and website with no host name

Question

I'm having a problem using the IIS8 Central Certificate Store with a wildcard certificate. I have a web server farm that is configured to use CCS. I have a wild card certificate "*.delaneywilson.com". I created a pfx file for the wildcard cert, named it "_.delaneywilson.com" (as instructed by Microsoft and other articles on the web) and then dropped it into my shared SSL directory. The certificate shows up in IIS without an issues.

I created bindings for www.delaneywilson.com and delaneywilson.com, both using port 443, set to "All Unassigned", "Require Server Name Identification" and "Use Centralized Certificate Store". The binding with the www works fine, but the binding without the host name does not work.

In fact, any binding I apply works as long as there is a host name:

https://www.delaneywilson.com -> Works
https://anything.delaneywilson.com -> Works
https://something.delaneywilson.com -> Works
https://delaneywilson.com -> Does not work

Everything I've read leads me to believe that wildcard certificates are supported in IIS8.x using CCS, but I cannot make "just" the domain name work.

It says for UCC certificates that you actually have to duplicate the certificate and drop it in the shared directory once for each domain supported by the UCC cert. I tried something similar with the wildcard certificate, but it didn't work. In fact the certificate did not show up at all in the CCS list. (Which is expected since the certificate is *.dealneywilson.com and not delaneywilson.com). I can work-around this problem by just forcing a redirect from my load balance from delaneywilson.com to www.delaneywilson.com, but I think it would be better if it just worked.

For now I've just gone back to installing the certificates on each server and then configuring my bindings to use SNI and my local certificate store. That seems to work without any issues. For a small farm of 5 servers and just a few websites it's not a big deal, but I need to use the CCS for a 24 server web farm hosting 6500 domains and its just too much configuration.

Can anyone confirm that this is a bug in the IIS 8.5 CCS?

Answer 1

[Option One]

Purchase another SSL certificate for just the "delaneywilson.com"

[Option Two]

Add the DNS name "delaneywilson.com" in the SAN field of the "*.delaneywilson.com" certificate

Answer 2

The wildcard certificate secures the domain and add it as a SAN in the certificate by default. So if you took *.abc.com abc.com gets added as SAN in the certificate automatically. If its not added, you can contact your CA and ask them to reissue the certificate with the domain added as SAN to it.

Yes, a CSR has to be generated again for the reissue to take place.

Answer 3

There are certain CA which includes the main domain (without www) under Subject Alternative Name (SAN) when you procure the wildcard certificate

Just follow the following step to check whether delaneywilson.com is added as SAN

Go to IIS and double-click on certificate of delaneywilson.com >> click on details tab >> Scroll down a bit and click on Subject Alternative Name

I am posting an image for your reference

Answer 4

I had the exact same problem, and this thread got me thinking. The answer is in how CCS selects certificate files:

anything.delaneywilson.com >> CCS looks for _.delaneywilson.com.pfx >> Found. delaneywilson.com >> CCS looks for delaneywilson.com.pfx >> NOT found.

Most wildcard certificates also contain a SAN for the base domain name. To use the SAN through CCS, simply duplicate the pfx file and remove the leading underscore+dot from one of the two file names.

When using a local certificate (not CCS), which one to use is already specified in the binding, so no confusion there.