"The parameter is incorrect" error using "netsh http add sslcert"

Question

Following the instructions in How to: Configure a Port with an SSL Certificate, I entered this command on the command line (duh):

netsh http add sslcert ipport:10.141.146.227:7001 certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid={EDE3C891-306C-40fe-BAD4-895B236A1CC8}

Output:

The parameter is incorrect.

My certhash thumbprint was taken from the certificate in Certificates (Local Computer) → Personal → Certificates folder.

The appid GUID was generated.

What else is wrong that I need to fix to get this to work?

Answer 1

In PowerShell, just type as follows. First get into netsh HTTP mode and then add sslcert. It's worked for me.

netsh

In the netsh session:

http

add sslcert ipport=0.0.0.0:13286 appid='{a5455c78-6489-4e13-b395-47fbdee0e7e6}' certhash=<thumprint without space>

Answer 2

Another possible cause for this problem is hidden characters being copied from the Certificate Manager page. If you copy the thumbprint from the details window in Certificates, check for a hidden character at the start (use your arrow keys!). This was the cause for me of the "The Parameter is Incorrect" error message.

Answer 3

The PowerShell command line and PowerShell scripts in .ps1 files will think curly brackets {...} are PowerShell directives. So quote them. Otherwise, as you have seen, PowerShell will be confused.

So rather than this (which you found fails):

netsh http add sslcert ipport:10.141.146.227:7001 certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid= {EDE3C891-306C-40fe-BAD4-895B236A1CC8}

Do this (note the single quotes):

netsh http add sslcert ipport:10.141.146.227:7001 certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid= '{EDE3C891-306C-40fe-BAD4-895B236A1CC8}'

Here is some information about PowerShell syntax with curley braces:

PowerShell and the hidden art of curly braces and other braces

Answer 4

Looking at the syntax for the netsh command, I saw this example:

add sslcert ipport=1.1.1.1:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

By the looks of it, your problem is that you're doing

ipport:10.141.146.227:7001
      ^

as opposed to

ipport=10.141.146.227:7001
      ^

Answer 5

I faced this problem several times and every time it had a different cause. Here are the causes and exact commands that worked for me.

Here are some causes:

1. Copy and pasting a certificate thumbprint from the Windows dialog adds a hidden character to your hash. It is not visible in text editors, but you need to remove the character to make it work.

2. An SSL thumbprint should be available in Personal → Certificates to work with localhost.

3. It should be 'ipport=', not 'ipport:'

4. SSL certificate should have a private key. If you are using the certificate management console, make sure that it has a little key icon on the certificate view.

5. The GUID should be defined in full format: {a10b0420-a21f-45de-a1f8-818b5001145a}, and it should have single quotes in PowerShell: '{a10b0420-a21f-45de-a1f8-818b5001145a}' Thus, the PowerShell format is different from the command line.

6. SSL certificate should have complete characters with all padding '0's and without any space. You may copy the thumbprint (be careful to remove special hidden characters) and remove spaces, or use 'netsh http show sslcert' to get the value if the certificate is already registered for another address.

What worked for me:

Here is the exact command that worked for me in PowerShell:

netsh http add sslcert ipport=0.0.0.0:20001 certhash=5304c034548b27c72b5e9c14f0c7bdd13e52d760 appid='{a10b0420-a21f-45de-a1f8-818b5001145a}'

And here is the command line statement:

netsh
http add sslcert ipport=0.0.0.0:20001 certhash=5304c034548b27c72b5e9c14f0c7bdd13e52d760 appid={a10b0420-a21f-45de-a1f8-818b5001145a}

More commands to help you avoid related problems:

Use the following command to see current registered certificate. You may find and reuse certhash or your appid from there:

netsh http show sslcert

If the certificate is already registered with similar ip and port, you need to remove it. I found it causes a problem with localhost, 127.0.0.1 and 0.0.0.0. You need to have only 0.0.0.0 registered in your testing environment. Use the following command to remove potential corrupted certificates:

netsh http delete sslcert ipport=0.0.0.0:20001

Answer 6

Copying the certificate thumbprint from the Certificate\Details\Thumbprint would prepend the thumbprint value with the bytes '3f38' which, when converted to ANSI were shown as a '?'. This hidden value caused the issue for me.

I pasted the value into Notepad++, chose Encoding → Convert to ANSI, and then I manually removed the prepended '?' characters. I would then have a clean thumbprint value to use.

Answer 7

1. Copy the command into Notepad
2. Save it as ANSI
3. Close and reopen the file
4. Remove bogus ? characters
5. Copy from Notepad to the command prompt and run the command

Answer 8

I was getting this error as well when I was just getting started with HTTP.sys (IIS). After I ran:

netsh http add iplisten ipaddress=0.0.0.0

then the netsh http add sslcert commands started behaving properly.

Answer 9

In my case the problem is that I am following the Microsoft instructions. I copied the thumbprint from the SSL window. Doing so copies non-printable characters at the beginning of the hash.

Try to paste the thumbprint into Notepad and then press Home and press Delete twice (until the first characters from the thumbprint is deleted) and the readd the character. You can see the character if you copy the thumbprint and paste it into cmd:

Answer 10

Using the Serial number instead of the Thumbprint for the certhash parameter will cause this error because of the difference in the amount of characters. Padding with 0s will change the error to:

SSL Certificate add failed, Error: 1312

Answer 11

This worked for me:

My certhash parameter wasn't fully 20 bytes long. I had to pad it with zeroes in front to get it to work.

So, instead of

certhash=112233445566778899aabbccddeeff00, I had to do this:

certhash=00000000112233445566778899aabbccddeeff00.

Answer 12

You have ipport: rather than ipport= which is easy to do since you follow that with ip:port.

Also, watch out for the { versus < or (. That has also gotten me in the past.

Answer 13

Watch out. If you have a DNS name as a binding, use hostnameport instead of ipport:

netsh http delete sslcert hostnameport=domainame.com:443

I had to delete ADFS Proxy Bindings for Office 365 single sign-on.

Answer 14

This will work from the PowerShell command line:

$AppId = [Guid]::NewGuid().Guid
$Hash = "209966E2BEDA57E3DB74FD4B1E7266F43EB7B56D"

netsh http add sslcert hostname=localhost:8088 certhash=$Hash appid=`{$AppId`} certstorename my

The important details are to escape each { } with a backtick (`) and not to omit certstorename. Otherwise, netsh raises an error 87.

The variables are just for sake of convenience.

Answer 15

This is actually a syntax problem of cmd vs PowerShell. Changing the command to

netsh http add sslcert ipport=0.0.0.0:8085 certhash=4da5af739d6745de4e38fea9574cdaa79032ea14 appid="{7BBE87B9-D98F-41D7-B726-FC5E1300ED28}"

will work in both terminals.

Answer 16

There were a few things I did that I thought made it work after getting the same "The parameter is incorrect." error.

1. I restarted the machine and did it again. It worked the first time.

2. I made sure I was in C:\ and issued the command again after restarting didn't work

   I couldn't explain why, but I think that maybe both times, there was something else wrong. Because the third time this happened to me:

3. I went through the thumbprint of my CA (not the issued server cert) and copied it again from the MMC and it worked.

After this happened, I deleted it again (netsh http delete sslcert ipport=0.0.0.0:) and repeated the process using the thumbprint of the server certificate. The darned thing worked again.

I don't know. Just try going through the same thing I did. Maybe one of these would work. In the end, I suspect that I entered a bogus space or character in the certhash.

Answer 17

The "-"s are not irrelevant.

If your GUID doesn’t look exactly like this, you will get the incorrect parameter error:

{EDE3C891-306C-40fe-BAD4-895B236A1CC8}

vs.

EDE3C891306C40feBAD4895B236A1CC8 -> WRONG
{EDE3C891306C40feBAD4895B236A1CC8} -> WRONG

Also I’m using the GUID for the appid of IIS, not a random one.

Answer 18

I must have ended up mangling the relationship between Visual Studio and IIS Express by deleting the localhost certificate. I was really stuck. The application wouldn't start and nothing I could do seemed to correct this disconnect (which is want brought me to this thread to begin with).

I was finally able to get over the issue by changing the assigned port on the non-SSL URL (launchSettings.json in .NET Core applications) and disabling the Enable SSL checkbox in the project settings and taking a fresh start. I was then able to add my newly created cert with this command: netsh http add sslcert ipport=0.0.0.0:44392 appid={214124cd-d05b-4309-9af9-9caa44b2b74b} certhash=A0ADC1A1002F288CCFA96261F9F352D28C675A90.

Also, note that the appid variable is not a reflection of your Visual Studio project AppID (or at least it doesn't have to be). It's just an arbitrary GUID, according to Scott Hanselmann:

The AppId doesn't really matter, it's just a GUID. This tells HTTP.SYS that we're using that certificate.

This was not obvious to me and made dealing with the parameter is incorrect error that much more obscure.

Answer 19

I was trying to add an IP address and port with the hostnameport parameter, so I got this parameter error.

netsh http add sslcert hostnameport="10.0.0.120:443"

Instead of:

netsh http add sslcert ipport="10.0.0.120:443"

Answer 20

I had a hidden issue that only showed in PowerShell, not on a command prompt.

I had copied a thumbprint from a certificate and removed all spaces in Notepad++, but it still had a hidden character in front.

It looked like this:

.. certhash=dca41243...

It was actually

.. certhash="special char"dca41243...

Answer 21

We have put the parameters in quotes (double quotes, not single), and this helped us. This way it worked perfectly.

netsh http add sslcert hostnameport="servername.domain.suffix:8443" certhash="6a1234abcd567edf" appid="{eca1234-a456-5678-abcd-edffg6789}" certstorename="MY"