Amazon is by far becoming one of the biggest dedicated server hosts with their EC2 offerings. As many of you already know they currently do not offer more than a single IP per server instance. Why? who knows – it would seem to be an easy obstacle for them to fix but users have been asking for that feature for over 5 years and still nothing and no word on if it will ever be supported.
Now the issue is that IIS 7+ only supports a single certificate per IP. Yes you can use host headers for multiple sites but all those sites must use the same certificate. You cannot hack, cheat or tweak your way around this.
One solution is to use a new server for each client that needs a dedicated IP with SSL but of course the costs here get a little expensive. There is a much cheaper solution!
Since the Amazon Elastic Load Balancer now supports SSL termination you can setup a load balancer to handle the SSL, install your certificate via the EC2 control panel and then internally forward your request on port 80 without SSL.
To do this when you’re setting up the load balancer use HTTP (80) to HTTP (80) and the new HTTPS (443) to HTTP(80) – upload your certificate in pem format. If you don’t have the certificate in PEM format and let’s be honest, since you’re running on IIS you won’t. Follow these steps to get it
- Export your certificate from IIS as a PFX, set your password.
- Make sure you have openssl installed.
- Type, openssl pkcs12 -in yourExport.pfx -nocerts -out privateKey.pem
- Type, openssl pkcs12 -in yourExpport.pfx -clcerts -nokeys -out publicCert.pem
- Type, openssl rsa -in privateKey.pem -out privateKey.pem
At each of the openssl steps you’ll need to enter the PFX export password. The last step will remove the password from the private key to be compatible with Amazon. Now copy and paste the contents of the privateKey.pem and publicCert.pem into the load balancer certificate setup screen and you’ll be set.
Update your DNS CName entry for your site or customer site and you’ll have SSL.