Add additional certificate bindings to default website

I have a bunch of websites that are running on Server 2012R2 in the context of the default website with different host headers, and unique certificates. I need to add a net new site and bind a net new certificate on port 443 for that specific site, while maintaining the bindings for the other sites using 443. I’m trying to use PowerShell with the WebAdministration module to run

New-Item -Path “IIS:\SslBindings*!443!” -Thumbprint “certthumbprint” 
. I’m getting the following warning and error though. WARNING: Binding host name ‘’ is not equals to certificate subject name ‘, OU=Domain Control Validated’. Client may not be able to connect to the site using HTTPS protocol. Cannot create a file when that file already exists
+ CategoryInfo : NotSpecified: (:slight_smile: [New-Item], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

Should I be trying to add the new binding as!443!, or is there a way to update the 443 binding to be able to add the new site/certificate thumbprint combo?

You are restricted to one server certificate per endpoint (ip-port combination) since the server needs to use a particular server certificate for all connections to that endpoint (there are some rfcs about how the client can tell the server which certificate to choose but that is not implemented in iis7) - if a site is bound to multiple end-points, you can have multiple server certificate, one per endpoint.

Anil Ruia
Software Design Engineer
IIS Core Server
Multiple SSL Certificates on a Web Site in IIS7

But what are you not using a Wildcard cert (one cert for your entire domain and thus all host header sites) for this effort vs what sounds like you are trying to use individual certs?

Well, outside of the expense of wild card certs.

You could also just add SAN’s to the cert for additional sites, but if you are adding an removing sites, updating that cert will become a management pain point. Well, you could use PoSH to replace it as well as it is updated.

Just curious.

Anyway, you could also still use appcmd.exe or manually update the ApplicationHost.config file.

In IIS8 W2K12, SNI is supported.
Example use case: ‘

Unfortunately, these are all discreet sites that can’t be managed using a wildcard or a SAN certificate.

In your example, that is exactly what I am doing manually. I am editing the bindings to add the certificated for new sites that are created. I was hoping to see if there was a way to automate that in IIS8. So, we do have the host headers created. I just can’t figure out how to get the certificate bound outside of the IIS GUI.