We are using IIS 6 and ASP.Net, When users make secure page requests using

https://somesite.com/securePage.aspx

the user gets an error:

---

Error code: ssl error bad cert domain

---

The certificate was issued to www.somesite.com and indicates that somesite.com uses an invalid security certificate.

I was hoping to be able to catch the request in the Application BeginRequest event but the SSL error occurs before this. In order to invoke the Application BeginRequest event the user needs to click through the certificate error message. Is it possible to redirect in code or does this fix need to occur within IIS?

The only solution is to include the second domain in the certificate with a SubjectAlternativeName. Some certificate authorities will allow you to do this without extra cost.

Everything else would only happen after the ssl connection is established and therefor after the error is encountered by the user.

With HTTPS the ssl connection is negotiated before any of the HTTP headers are sent to the server, including the Host:-header that tells the server for which virtual host the request is actually intended.

I was able to solve this problem using IIS's rewrite feature. Turned out to be really easy to fix and we didn't have to purchase a new cert.

HOP is correct with his answer. Owen also if we had the luxury of using IIS 7 as Rewrite rules similar to the mod_rewrite rule of Apache is now possible from within IIS.

After further investigation today together with our Network Admins and our SSL Cert provider applying a SAN to our Certificate is quite possible and at no charge.

However due to political issues within the ORG it was decided that DEV (my group) institute a redirect to the registered domain within the Application BeginRequest event. For each request we will check that the URL points to our FQDN. If the request is made to the 'Short Name' then we will point it to the FQDN always by appending the www to the short name that will be returned by the context.Host method.

No doubt this will increase chattiness etc.!

I did some testing on this on one of my servers and here is what I found.

We have a UCC certificate which will work for 5 domains. My 5 domains are

master mydomain.com

sub alt names: mysite.com myweb.com thissite.com www.thissite.com

The reason it is set up like that is because I didn't quite understand that it wanted www. when I made it.

So,

https://mydomain.com - works
https://www.mydomain.com - works
https://www.mysite.com - ERROR
https://mysite.com - works
https://thissite.com - works
https://www.thissite.com - works.

If you have a UCC cert (it seems you do) add a subject alternate name with the www on the domain in question. It will then work for both.

I went through all the steps of trying to redirect with .htaccess and server side scripting. But, hop is right, it will not do anything if you dont fix the cert.

You will likely have to drop a domain when you rekey your cert. Just remember which one you dropped and get a new cert for that one. I will forever and always REFUSE to buy UCC certs from now on. More problems than they are worth. 1 domain = 1 cert.

If your domain is making money then its worth the money, if your not making any money - do you really need the cert?

Intresting. I have never observed this behavior in any site until I saw this question. Even google has this problem. The url below gives the bad cert error

https://google.com/accounts/

Btw, Most of the sites has a subdomain to which they protect it with a certificate. One vote up for the question.

In Apache this is usually done with mod_rewrite:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Google for "rewrite URL IIS", you'll find some equivalents for IIS.