How to assign a SSL Certificate to IIS7 Site from Command Prompt
Solution 1
The answer is to use NETSH. For example
netsh http add sslcert ipport=0.0.0.0:443 certhash='baf9926b466e8565217b5e6287c97973dcd54874' appid='{ab3c58f7-8316-42e3-bc6e-771d4ce4b201}'
Solution 2
This helped me a lot: a simple guide, by Sukesh Ashok Kumar, to setting up SSL for IIS from the command line. Includes importing/generating the certificate with certutil / makecert.
http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx
EDIT: if the original URL is down, it's still available through the Wayback Machine.
Solution 3
With PowerShell and the WebAdministration module, you can do the following to assign an SSL certificate to an IIS site:
# ensure you have the IIS module imported
Import-Module WebAdministration
cd IIS:\SslBindings
Get-Item cert:\LocalMachine\My\7ABF581E134280162AFFFC81E62011787B3B19B5 | New-Item 0.0.0.0!443
Things to note... the value, "7ABF581E134280162AFFFC81E62011787B3B19B5" is the thumbprint for the certificate you want to import. So it needs to be imported into the certificate store first. The New-Item cmdlet takes in the IP address (0.0.0.0 for all IPs) and the port.
See http://learn.iis.net/page.aspx/491/powershell-snap-in-configuring-ssl-with-the-iis-powershell-snap-in/ for more details.
I've tested this in Windows Server 2008 R2 as well as Windows Server 2012 pre-release.
Solution 4
@David and @orip have it right.
However, I did want to mention that the ipport parameter specified in the example (0.0.0.0:443) is what the MSDN calls the "unspecified address (IPv4: 0.0.0.0 or IPv6: [::])".
I went looking it up, so I figured I'd document here to save someone else the time. This article focuses on SQL Server, but the information is still relevant:
http://msdn.microsoft.com/en-us/library/ms186362.aspx
Solution 5
Using PowerShell + netsh:
$certificateName = 'example.com'
$thumbprint = Get-ChildItem -path cert:\LocalMachine\My | where { $_.Subject.StartsWith("CN=$certificateName") } | Select-Object -Expand Thumbprint
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert ipport="0.0.0.0:443" certhash=$thumbprint certstorename=MY appid="$guid"
If you need a named binding, replace netsh call with this:
netsh http add sslcert hostnameport="$certificateName:443" certhash=$thumbprint certstorename=MY appid="$guid"
David Christiansen
Updated on December 16, 2021Comments
-
David Christiansen over 2 years
Can you advise me whether it is possible or not to assign a SSL Certificate to a website in IIS7 using the APPCMD application?
I am familiar with the command to set the HTTPS Binding
appcmd set site /site.name:"A Site" /+bindings.[protocol='https',bindingInformation='*:443:www.mysite.com']and how to obtain current mappings
%windir%\system32\inetsrv\Appcmdbut can not seem to find any way to map a site to a certificate (say the certificates hash for example)
-
David Christiansen almost 13 yearsI simply use a random GUID for the appID
-
littlegreen about 12 yearsDoesn't work for me: SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists.
-
Martin Clemens Bloch almost 11 yearsTry to look here, you might need a non-default name: msdn.microsoft.com/en-us/library/windows/desktop/…
-
tigrou about 10 yearstyping
netsh http show sslcertwill give appid and certhash of certificates installed on machine. -
orip over 9 years@TLS - crap. Added a wayback machine link.
-
ympostor over 7 years
netsh http show sslcertdoesn't show anything for me, and I was expecting it to at least show the self-signed certificate that comes by default with IIS calledTenantEncryptionCert -
ciriarte about 7 yearsGreetings, powershellers from the future. Remember to add single quotes in appid='{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}'
-
carpenterjc almost 7 yearsI like the way you can use Get-Item cert:\LocalMachine\My* to take advantage of AD provisioned SSL certs.
-
user3505901 about 6 yearsCan someone elaborate one how to get the app id for a specific site? I tried Get-StartApps but there doesn't appear to be any sites listed in that.
-
user3505901 about 6 yearsThis command succeeded but the ssl certificate is not selected for me in iis window, what does this actually do?
-
Sridhar Sarnobat about 6 yearsIn case anyone is trying to automate this with chef, it looks like it's a routine in
windows/resources/certificate_binding.rb -
SeanN almost 6 yearsWhere do you get the appid? I use
{4dc3e181-e14b-4a21-b022-59fc669b0914}, which is the appid for IIS, and is used when you do this in the IIS Manager UI. Doesn't work for me: SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists. You're trying to configure a port that is already configured, seenetsh http show sslcertandnetsh http delete sslcertfor checking and deleting configs. Remember to add single quotes ... Single quotes are shown here, you need to remove them if using a Windows command prompt. -
James over 5 yearsWhy do you usenetshandappcmd? I'm trying to understand the process, but it seems to me that they are doing the same thing (create the binding for all ips). Am I lost something?
