IIS 10 default HTTPS binding

Question

User-440682272 posted

On IIS it is possible to define a default binding for the HTTP protocol, so whatever host name is used, IIS responds with the default binding (unless there is a specific binding for that host name).

It seems to me that the same thing cannot be done with HTTPS. Actually, before the introduction of the Central Certificate Store (CCS) this limitation made sense, because you had to create an HTTPS binding for each host name and associate its SSL certificate (+enable SNI). But with CCS this limitation no longer makes sense because IIS could respond with the default HTTPS binding to all host names that have a corresponding certificate in the CCS.

Am I wrong to configure IIS or is it actually true that we can't define a default binding for HTTPS?

Answer 1

User690216013 posted

I wonder what you have tried. Windows HTTP API allows you to set IP based bindings, so it should be rather simple to create a default HTTPS binding, as long as your changes in IIS Manager trigger creation of IP based bindings in HTTP API, not SNI based bindings,

https://docs.jexusmanager.com/tutorials/https-binding.html#ip-based-bindings 

However, all incoming requests to that site will see the same certificate from that IP based binding. IIS won't check CCS. That's how HTTP API is designed, so you don't have flexibility to change how it works internally.

Answer 2

User-440682272 posted

Thanks for the reply, but my request is exactly to have a default HTTPS binding that responds to all host names based on the certificates present in the CCS. I know how to create a default HTTPS binding, but it doesn't work as required.

Answer 3

User1065476709 posted

Hi maxmayer,

maxmayer

but my request is exactly to have a default HTTPS binding that responds to all host names based on the certificates present in the CCS. I know how to create a default HTTPS binding, but it doesn't work as required.

What issue did you get? normally, you only need to add bindings as follows:

1. Go to IIS Manager. Select the website
2. Click “Bindings…”. Click “Add“
3. Select “https” as the “Type”
4. Check “Use Centralized Certificate Store“

More information about CCS with IIS you can refer to this link: https://techcommunity.microsoft.com/t5/iis-support-blog/centralized-certificate-store-ccs-and-iis-bindings/ba-p/582708

Best regards,

Sam

Answer 4

User-440682272 posted

thanks for the reply and for the information, however, the point of my post is this one:

It seems to me that the same thing cannot be done with HTTPS. Actually, before the introduction of the Central Certificate Store (CCS) this limitation made sense, because you had to create an HTTPS binding for each host name and associate its SSL certificate (+enable SNI). But with CCS this limitation no longer makes sense because IIS could respond with the default HTTPS binding to all host names that have a corresponding certificate in the CCS.

Answer 5

User690216013 posted

Thanks for the reply, but my request is exactly to have a default HTTPS binding that responds to all host names based on the certificates present in the CCS. I know how to create a default HTTPS binding, but it doesn't work as required.

In short, what you wanted is impossible at this moment, unless Microsoft decides to change how HTTP.sys and IIS work internally.

Answer 6

User-440682272 posted

Thanks for confirming it.