Replace Wildcard SSL On Multiple Sites Bound To Same IP

How to Replace a Wildcard SSL Certificate on Multiple IIS Sites Bound to the Same IP

When multiple IIS websites share the same IP+port combination (e.g., 10.100.0.12:443), they also share the same SSL certificate binding. This means that updating the certificate for **one** site effectively updates it for **all** sites using that socket.

This guide explains how to replace a wildcard SSL certificate on IIS using the Windows netsh HTTP SSL binding system — the layer that actually controls SSL at the OS level.

Understanding How IIS Handles SSL Bindings

IIS 7+ does not directly manage SSL bindings for certificates. IIS only ties websites to one or more sockets: 

IP Address + Port

Windows manages the actual SSL certificate assignment for each socket. You control it using netsh http add sslcert.

Important: Binding a new SSL cert to a socket updates the SSL for all IIS sites using that IP+port.

Step 1 — Find the Certificate Hash (certhash)

First, list all certificates stored in the Windows “My” certificate store: 

certutil -store My

If you want to find only the wildcard certificate more quickly:

certutil -store My | findstr /R "sha1 my-domain.com ===="

Example output:

================ Certificate 5 ================
Subject: CN=*.my-domain.com, OU=PositiveSSL Wildcard
Cert Hash(sha1): 12 34 56 78 90 12 34 56 78 90 12 34 56 78 90 12 34 56 78 90

The certhash is the SHA-1 hash with all spaces removed:

1234567890123456789012345678901234567890

Step 2 — Find the Application ID (appid)

Now list existing SSL bindings managed by the OS:

netsh http show sslcert

Or check a single socket:

netsh http show sslcert ipport=10.100.0.12:443

Example output:

IP:port                      : 10.100.0.12:443
Certificate Hash             : 1234567890123456789012345678901234567890
Application ID               : {12345678-1234-1234-1234-123456789012}
Certificate Store Name       : MY

The appid identifies the application using the SSL binding. For IIS, this is normally the built-in IIS GUID.

Step 3 — Remove the Existing SSL Binding

Open an elevated Command Prompt (Run as Administrator) and remove the old binding: 

netsh http delete sslcert ipport=10.100.0.12:443

You should see:

SSL Certificate successfully deleted

Step 4 — Bind the New SSL Certificate to the Socket

Use this command to assign the new certificate:

netsh http add sslcert ipport=10.100.0.12:443 
    certhash=1234567890123456789012345678901234567890 
    appid={12345678-1234-1234-1234-123456789012}

Use your own certhash and appid.

You should see:

SSL Certificate successfully added

Step 5 — SSL Updated for All IIS Sites

All IIS websites bound to 10.100.0.12:443 now automatically use the new wildcard SSL certificate. No need to manually re-bind SSL to each IIS site.

✔ You’re done — the new certificate is applied instantly across all websites using this IP+port.

Secure Your Website with Premium SSL Certificates

Fast2host offers FREE AutoSSL certificates via cPanel or premium EV, OV, and Wildcard SSL options for businesses and advanced security needs from:

View SSL Options →
Was this article helpful?

mood_bad Dislike 0
mood Like 11
visibility Views: 22082

Need more information or have a question ?