57

Can you advise me whether it is possible or not to assign a SSL Certificate to a website in IIS7 using the APPCMD application?

I am familiar with the command to set the HTTPS Binding

appcmd set site /site.name:"A Site" /+bindings.[protocol='https',bindingInformation='*:443:www.mysite.com']

and how to obtain current mappings 

%windir%\system32\inetsrv\Appcmd

but can not seem to find any way to map a site to a certificate (say the certificates hash for example)

David Christiansen
  • 5,869
  • 2
  • 36
  • 42

9 Answers9

54

The answer is to use NETSH. For example

netsh http add sslcert ipport=0.0.0.0:443 certhash='baf9926b466e8565217b5e6287c97973dcd54874' appid='{ab3c58f7-8316-42e3-bc6e-771d4ce4b201}'
David Christiansen
  • 5,869
  • 2
  • 36
  • 42
  • 1
    I simply use a random GUID for the appID – David Christiansen Jul 05 '11 at 11:35
  • 4
    Doesn't work for me: SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists. – littlegreen Apr 03 '12 at 14:46
  • Try to look here, you might need a non-default name: http://msdn.microsoft.com/en-us/library/windows/desktop/cc307220(v=vs.85).aspx – Martin Clemens Bloch Jul 18 '13 at 12:03
  • 8
    typing `netsh http show sslcert` will give appid and certhash of certificates installed on machine. – tigrou Jun 20 '14 at 12:55
  • `netsh http show sslcert` doesn't show anything for me, and I was expecting it to at least show the self-signed certificate that comes by default with IIS called `TenantEncryptionCert` – ympostor Feb 14 '17 at 10:43
  • 1
    Greetings, powershellers from the future. Remember to add single quotes in appid='{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}' – ciriarte Apr 11 '17 at 19:43
  • 3
    Can someone elaborate one how to get the app id for a specific site? I tried Get-StartApps but there doesn't appear to be any sites listed in that. – user3505901 May 22 '18 at 14:41
  • In case anyone is trying to automate this with chef, it looks like it's a routine in `windows/resources/certificate_binding.rb` – Sridhar Sarnobat May 25 '18 at 22:56
  • 1
    *Where do you get the appid?* I use `{4dc3e181-e14b-4a21-b022-59fc669b0914}`, which is the appid for IIS, and is used when you do this in the IIS Manager UI. *Doesn't work for me: SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists.* You're trying to configure a port that is already configured, see `netsh http show sslcert` and `netsh http delete sslcert` for checking and deleting configs. *Remember to add single quotes ...* Single quotes are shown here, you need to remove them if using a Windows command prompt. – SeanN Aug 09 '18 at 15:18
18

This helped me a lot: a simple guide, by Sukesh Ashok Kumar, to setting up SSL for IIS from the command line. Includes importing/generating the certificate with certutil / makecert.

http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx

EDIT: if the original URL is down, it's still available through the Wayback Machine.

orip
  • 73,323
  • 21
  • 116
  • 148
9

With PowerShell and the WebAdministration module, you can do the following to assign an SSL certificate to an IIS site:

# ensure you have the IIS module imported
Import-Module WebAdministration

cd IIS:\SslBindings
Get-Item cert:\LocalMachine\My\7ABF581E134280162AFFFC81E62011787B3B19B5 | New-Item 0.0.0.0!443

Things to note... the value, "7ABF581E134280162AFFFC81E62011787B3B19B5" is the thumbprint for the certificate you want to import. So it needs to be imported into the certificate store first. The New-Item cmdlet takes in the IP address (0.0.0.0 for all IPs) and the port.

See http://learn.iis.net/page.aspx/491/powershell-snap-in-configuring-ssl-with-the-iis-powershell-snap-in/ for more details.

I've tested this in Windows Server 2008 R2 as well as Windows Server 2012 pre-release.

David Mohundro
  • 11,922
  • 5
  • 40
  • 44
4

@David and @orip have it right.

However, I did want to mention that the ipport parameter specified in the example (0.0.0.0:443) is what the MSDN calls the "unspecified address (IPv4: 0.0.0.0 or IPv6: [::])".

I went looking it up, so I figured I'd document here to save someone else the time. This article focuses on SQL Server, but the information is still relevant:

http://msdn.microsoft.com/en-us/library/ms186362.aspx

fordareh
  • 2,923
  • 2
  • 26
  • 39
1

Using the answers from this post, I created a single script that did the trick for me. It starts from the pfx file, but you could skip that step.

Here it is:

cd C:\Windows\System32\inetsrv

certutil -f -p "pa$$word" -importpfx "C:\temp\mycert.pfx"

REM The thumbprint is gained by installing the certificate, going to cert manager > personal, clicking on it, then getting the Thumbprint.
REM Be careful copying the thumbprint. It can add hidden characters, esp at the front.
REM appid can be any valid guid
netsh http add sslcert ipport=0.0.0.0:443 certhash=5de934dc39cme0234098234098dd111111111115 appid={75B2A5EC-5FD8-4B89-A29F-E5D038D5E289}

REM bind to all ip's with no domain. There are plenty of examples with domain binding on the web
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']
JsAndDotNet
  • 16,260
  • 18
  • 100
  • 123
  • Why do you use `netsh` and `appcmd`? I'm trying to understand the process, but it seems to me that they are doing the same thing (create the binding for all ips). Am I lost something? – James Mar 19 '19 at 22:10
1

If you're trying to perform IIS Administration without using the MMC snap-in GUI, you should use the powershell WebAdministration module.

The other answers on this blog don't work on later versions of Windows Server (2012)

4b0
  • 21,981
  • 30
  • 95
  • 142
DevOps Scott
  • 11
  • 1
1

Using PowerShell + netsh:

$certificateName = 'example.com'
$thumbprint = Get-ChildItem -path cert:\LocalMachine\My | where { $_.Subject.StartsWith("CN=$certificateName") } | Select-Object -Expand Thumbprint
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert ipport="0.0.0.0:443" certhash=$thumbprint certstorename=MY appid="$guid"

If you need a named binding, replace netsh call with this:

netsh http add sslcert hostnameport="$certificateName:443" certhash=$thumbprint certstorename=MY appid="$guid"
Sergey Nudnov
  • 1,327
  • 11
  • 20
1

With IISAdministration 1.1.0.0 (https://www.powershellgallery.com/packages/IISAdministration/1.1.0.0) you can use the following code to add a new HTTPS binding to a specific site:

$thumbPrint = (gci Cert:\localmachine\My | Where-Object { $_.Subject -Like "certSubject*" }).Thumbprint
New-IISSiteBinding -Name "Site Name" -BindingInformation "*:443:" -CertificateThumbPrint $thumbPrint -CertStoreLocation My -Protocol https

View existing bindings with

Get-IISSiteBinding -Name "Site Name"

Remove an existing binding with

Remove-IISSiteBinding -Name "Site Name" -BindingInformation "*:443:" -Protocol https -Confirm:$False
jansohn
  • 2,246
  • 2
  • 28
  • 40
0

With some re-entrancy capabilities:

$securePfxKey=ConvertTo-SecureString -String $mypwd -AsPlainText -Force
Import-PfxCertificate -FilePath MySpector.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $securePfxKey
$mypfx=Get-PfxData -FilePath MySpector.pfx -Password $securePfxKey
$newThumbprint=$mypfx.EndEntityCertificates.Thumbprint
$applicationID="{4dc3e181-e14b-4a21-b022-59fc669b0914}" # hardcode it once
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=$newThumbprint appid=$applicationID
Thierry Brémard
  • 625
  • 1
  • 5
  • 14