Host Header Site Collections and SSL

Something I ran into just the other day; say you have a bunch of Host Header Site Collections running in a non-SSL webapp, and someone comes along and asks you to enable SSL on these site collection, as well as keeping non-SSL access functioning (I know, I thought it was a weird request as well).

Here’s the steps I had to go through to get this working:

1. Generate a Subject Alternate Name certificate that contains the DNS names of each of the HHSC you wish to enable SSL on. Install that cert through IIS Admin on each server.

2. Extend your non-SSL webapp to support SSL using the following PowerShell command:

Get-SPWebApplication <WebappURLToExtend> | New-SPWebApplicationExtension -Name "<NewSSLWebAppName>" -Zone "Extranet" -HostHeader "<OriginalWebappName>" -Path "<NewPathforIISFiles>" -Port "443" -url "https://<WebappName>:443" -SecureSocketsLayer

3. Once that is complete, launch IIS Admin on each SharePoint server and edit the binding for the extended webapp, and add the certificate to the extended webapp binding.

4. While in IIS Admin, go ahead and add a https binding to the extended webapp for each HHSC you need SSL access to.

5. On each SharePoint server, copy the web.config file from the non-SSL folder to the new SSL folder (this will ensure that any customizations you made to the webapp will be available in the SSL webapp).

6. Finally, you need to tell SharePoint that the SSL HHSC URLs need to be in the Extranet Zone (where you created the extended webapp). Execute this command for each HHSC you want to access via SSL:

Set-SPSiteUrl (Get-SPSite "http://<HHSCURL>") -Url "https://<HHSCURL>" -Zone Extranet

And that’s about it, your HHSC URLs will be available on port 80 and port 443.

(Now would be a great time for you to contact your load-balancer guys and remind them you have the physical load balancers start listening on port 443 as well as port 80).