SSL Improvements in IIS 8.0
Microsoft Introduced IIS Webserver 8.0 with the recent beta release of Windows server 8. IIS 8.0 has lot of new features focused/aimed to serve large scale web hosts. There are substantial performance improvements to handle thousands of sites on a single server farm. Fine, let me post a detailed article about what’s new with IIS 8.0 later. Since it is in beta stage, there may be a lot of chance to include lot of new features. Will check what has been changed with SSL Part as of now.
IIS 8 has three major new improvements with the SSL Part such as Centralized certificate management (CCS), Server name Indication support (SNI) and SSL Scalability.
If you have not worked with large scale site hosting with many SSL certificates you may not have realized that there is lot of improvements in this part.
- In a multi-tenanted environment, such as a shared hosting, previous versions of IIS like 6.0, 7.0 lack or there is a limitation as too many secure sites can be hosted on windows server, resulting in a low site-density.
- Each SSL Site requires its own IP address and after adding a few sites, startup performance becomes slow and the memory demand is high. Each certificate will be loaded into memory on the first visit to an SSL site which creates a large memory footprint and a long delay on the first load.
- In IIS 8 the SSL certificate count is easily scalable to thousands of secure sites per machine with almost instantaneous first-loads. Only the certificate that is needed is loaded and it will unload after a configurable idle period. Additionally, enumerating or loading huge numbers of certificates is substantially improved.
- Also the IIS handling of configuration files (*.Config) has been modified for the same kind of scale.
Centralized certificate management (CCS)
IIS 6.0 & 7.0, 7.5 forces you to import each certificate into each website or application of the IIS. Which is a big changeling task for an IIS admin and it takes lot of time to complete it, if you are handling a whole farm’s worth of servers.
In IIS 8.0 there is a new Central certificate store (CCS), which allows storing certificates on a central file share instead of each machine and site. The name of the certificate file can be used to automatically map and bind the certificate to the domain in question, and multiple-domain certificates are also supported through this scheme.
SNI/SSL Host Header
Using host headers and a shared IP address with SSL certificate has always been problematic. IIS 8 now offers Server Name Indication (SNI) support which allows many SSL sites to share the same IP. SNI is a fairly new feature (within the last few years) which allows host headers to work with SSL.
IIS 8 makes SNI support a first class citizen in the site host headers.
Note: that SNI doesn’t work on all browsers. For example, Internet Explorer 6 does not support SNI, and SNI doesn’t work with any browser on Windows XP. Over 90% of browsers are use today supports SNI, but it will not work universally. More details with a list of browsers can be found here: http://en.wikipedia.org/wiki/Server_Name_Indication