I was asked recently by a colleague if a website defined in IIS could have multiple SSL certificates installed, so that the website would answer requests for https://www.abc.com as well as https://www.def.com without generating an error in the user's browser that the website's name didn't match the one in the certificate.

The simple answer to the question in the subject line, is that you can't install more than one certificate in IIS 5 and IIS 6. That doesn't mean that you can't solve the problem (read on for some solutions that might work for you).

IIS associates a certificate to be used with a website based on a property in the IIS Metabase called SSLCertHash. For each website there is space for a single SSLCertHash value to be set (see Figure 1)

SSL Certificate Hash property in IIS Metabase

Figure 1

The actual value that's stored in this SSLCertHash field corresponds to the server authentication certificate's "thumbprint" property that you can view using the MMC (after adding the Certificates snapin).  See Figure 2 below:

Certificate Thumbprint

Figure 2

 So, how do we solve the problem of having two FQDNs serve the same web content over SSL/TLS without causing a warning error message in the client's browser? Well, here are some options:

  1. Create two websites, and point the home directory of each website to the same physical root folder on your server. Install one certificate into each website. This does require that you have two IP addresses (or run the websites on different ports)
  2. Use a certificate that has mulitple common names (see Figure 3 below)
  3. Use a wildcard certificate (that matches *.domain.tld)

Multiple CNs in a certificate

Figure 3