Using a Wildcard SSL Certificate in IIS 7.x

For a long time we only had an SSL certificate for, but recently we purchased a wildcard SSL certificate so we can use the certificate for, in other words we now have SSL on,, and all the foreign language community sites like and

So a wild card SSL certificate is a certificate for * which means we can use it for as many different sites as we care to create. I had some struggle with setting up the wildcard SSL certificate on my server, so I thought I should make some notes here for others who may encounter the same problems. There are several points along the way where one can easily make a mistake and create more difficulty, so hopefully these notes will help you do it the right way the first time.

Where to get a Wildcard SSL Certificate

There are a number of places where you can get SSL certificates. The best deal I’ve found is StartSSL which Joe Davis recommended to me, and that is where we got our wildcard SSL certificate. Previously we had obtained a certificate for from RapidSSL, and they also have Wildcard SSL certificates but the cost is higher.

Generating a CSR (Certificate Request)

You generate a certificate request in IIS 7.x from the main server node where you see the icon for Certificates, double click it and on the right you will see a link to generate a certificate request. It is important that when you generate the CSR you generate it for * not for any specific host like

certificates icon screen shot

create csr link screen shot

Make sure you use *

certificate request screen 1

Make sure you set the bit length to 2048

certificate request screen 2

You can save the certificate request as a .txt file and open it in a text editor so you can copy the request and paste it when completing the steps to obtain an SSL certificate.

Installing The SSL Certificate

When you receive your certificate it will be just a text file, save it on disk on your server with a .cer extension, then you click the link in IIS for “Complete Certificate Request” (shown in the 2nd screen shot above). You will then browse to the .cer file you saved and choose it.

IMPORTANT: When you install the certificate you must enter a friendly name for the certificate, make sure you name it * I made the mistake of not naming it like that and what happens is that IIS 7.x won’t let you set an SSL host header unless the friendly name starts with *. You can see in this example how it looks if the certificate friendly name does not start with *:

ssl host header disabled

See how it is greyed out and you cannot set the host name. If you don’t set a host name then you try to configure the certificate on another site, it causes an error and the second site won’t start.

Note, if you made the same mistake as me and did not make the friendly name of  the certificate start with *, you can fix it but not from IIS. Thanks to Joe Davis who told me how to rename the friendly name. Click the Start button and then type MMC to load the Microsoft Management Console. Then add the snap in for Certificate Management. From there you can right click the certificate and choose properties and you will be able to edit the friendly name.

Once the certificate is installed with a friendly name starting with *, it will not be disabled and you will be able to set the SSL host header

ssl host header enabled

There are other ways of setting the SSL host headers from the command line if it is disabled in the UI, but it is far easier if it is enabled from the UI.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s