Wildcard Certificate Mapping Multiple Web Servers using Single IP address

1 June 2009 Off By David


  • MakeCert.exe (Which should be part of a visual studio install or downloadable here)
  • winhttpcertcfg.exe (downloadable here)
  • APPCMD (Part of Vista / Server 2008 / Windows 7)
  • ‘Certificates’ snap-in for Personal and Local Computer using MMC


Execute the following command from a command prompt

makecert -r -pe -n CN=*.domain.com -ss my -sr currentuser -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 wildcard.domain.cer


  • From the RUN command or start menu, type MMC
  • File > Add or Remove Snap-ins – Select Certificates, Click Add, Select My user account, Click Finish
  • Repeat previous step and select My Computer (then selecting Local Computer)
  • Click OK
  • Expand Certificates – Current User > Personal > Certificates
  • Right click *.domain.com and All Tasks > Export. The PFX file contains both the public and private key for this cert, hence why your asked for a password.
  • Copy or Move the Certificate from Current User > Personal > Certificates to Local Computer > Trusted Root Certification Authorities > Certificates
  • Import the PFX into Local Computer > Personal > Certificates (this will be the certificate used by your web services.

Now let’s create your web servers

Remove existing demo app pools and sites

%windir%\system32\inetsrv\Appcmd delete site "Demo 1"
%windir%\system32\inetsrv\Appcmd delete site "Demo 2"
%windir%\system32\inetsrv\Appcmd delete AppPool "Demo 1 App Pool"
%windir%\system32\inetsrv\Appcmd delete AppPool "Demo 2 Portal App Pool"

Establish SSL Environment

Tell windows that Network Service is allowed access to your wildcard cert. and tell it to bind the cert to port 443 on your IP address

PathToWinHTTPCertCfg\winhttpcertcfg -g -i "wildcard.domain.com.pfx" -c LOCAL_MACHINE\My -a “Network Service” -p MySecretPassword

Then execute the following

netsh http add sslcert ipport=<YOURLOCALIPADDRESS>:443 certhash=<CERTIFICATE THUMBPRINT> appid=<A GUID IN THE FORM OF {ab3c58f7-8316-42e3-bc6e-771d4ce4b201}>

Create App Pools and Sites

This is the code to create app pools and sites

%windir%\system32\inetsrv\Appcmd add site -id:100 -name:"Demo 1" -bindings:http/*:80:YOURLOCALIPADDRESS -physicalPath:<PathToDemo1Source> -logfile.directory:<PathToPutLogFilesIn> -traceFailedRequestsLogging.directory:<PathToPutTraceFiles>
%windir%\system32\inetsrv\Appcmd set app "Demo 1/" -applicationPool:"Demo 1 App Pool"
%windir%\system32\inetsrv\Appcmd set site /site.name:"Demo 1" /+bindings.[protocol='https',bindingInformation='*:443:demo1.domain.com']

%windir%\system32\inetsrv\Appcmd add site -id:200 -name:"Demo 2" -bindings:http/*:80:YOURLOCALIPADDRESS -physicalPath:<PathToDemo2Source> -logfile.directory:<PathToPutLogFilesIn> -traceFailedRequestsLogging.directory:<PathToPutTraceFiles>
%windir%\system32\inetsrv\Appcmd set app "Demo 2/" -applicationPool:"Demo 2 App Pool"
%windir%\system32\inetsrv\Appcmd set site /site.name:"Demo 2" /+bindings.[protocol='https',bindingInformation='*:443:demo2.domain.com']


…and that should be you 😉 Enjoy!